'unsafe-eval'

[DroyInc]

First of all thanks for this awesome package!

Since I've updated my complete Meteor instance, I suddenly ran into this error when I click an edit or delete button to open up a modal:

 Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' http://fonts.googleapis.com http://fonts.gstatic.com https://lh4.googleusercontent.com https://maps.googleapis.com http://cdn.segment.io http://cdn.mxpnl.com".

debug.js:41 Exception in template helper: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' http://fonts.googleapis.com http://fonts.gstatic.com https://lh4.googleusercontent.com https://maps.googleapis.com http://cdn.segment.io http://cdn.mxpnl.com".

    at Object.StringTemplate.compile (http://localhost:3000/packages/mpowaga_string-template.js?107007c37b40aaeff7870ced332ab360e0dc1c52:44:22)
    at Object.<anonymous> (http://localhost:3000/packages/mpowaga_string-template.js?107007c37b40aaeff7870ced332ab360e0dc1c52:69:24)
    at http://localhost:3000/packages/blaze.js?efa68f65e67544b5a05509804bf97e2c91ce75eb:2727:16
    at http://localhost:3000/packages/blaze.js?efa68f65e67544b5a05509804bf97e2c91ce75eb:1606:16
    at Spacebars.call (http://localhost:3000/packages/spacebars.js?3c496d2950151d744a8574297b46d2763a123bdf:169:18)
    at Spacebars.mustacheImpl (http://localhost:3000/packages/spacebars.js?3c496d2950151d744a8574297b46d2763a123bdf:106:25)
    at Object.Spacebars.mustache (http://localhost:3000/packages/spacebars.js?3c496d2950151d744a8574297b46d2763a123bdf:110:39)
    at null._render (http://localhost:3000/packages/yogiben_autoform-modals.js?93c6d91a52745a9ab455524a2ec056b80b1be492:77:44)
    at doRender (http://localhost:3000/packages/blaze.js?efa68f65e67544b5a05509804bf97e2c91ce75eb:1866:25)
    at http://localhost:3000/packages/blaze.js?efa68f65e67544b5a05509804bf97e2c91ce75eb:1808:16

The modal still opens, but there is no title and button text. I can still see my edit form and i can still delete a doc. This is how my delete modal looks like:

These are my other packages:

# Meteor packages used by this project, one per line.
#
# 'meteor add' and 'meteor remove' will edit this file for you,
# but you can also edit it by hand.

standard-app-packages
less
jquery
aldeed:collection2
iron:router
raix:handlebar-helpers
nooitaf:semantic-ui-less
fastclick
zimme:iron-router-active
manuelschoebel:ms-seo
browser-policy
coffeescript
linto:fontawesome
sacha:spin
underscore
sergeyt:typeahead
mizzao:bootstrap-3
mrt:selectize
rajit:bootstrap3-datepicker
aldeed:autoform-bs-datepicker
accounts-ui
useraccounts:core
useraccounts:bootstrap
accounts-password
aldeed:autoform
aldeed:autoform-select2
natestrauser:select2
email
percolatestudio:percolatestudio-migrations
cmather:handlebars-server
momentjs:moment
percolatestudio:segment.io@1.1.0_1

matteodem:easy-security
yogiben:autoform-modals

[roelvan]

If you remove browser-policy, you won't get that message anymore. Also your modal will look normal again.

[aladine]

This is not an ideal solution since I need browser-policy package for security.

[sunkay]

I have the same problem. Is there a list of URL's that we need to add to the Browser Policy to allow origin??

I could not get the URL's that this package is accessing..

Thanks

[roelvan]

@sunkay it's not a specific url, autoform-modals depends on this package: https://atmospherejs.com/mpowaga/string-template which uses the unsafe eval() call.

[roelvan]

@sunkay adding this rule will fix this problem: BrowserPolicy.content.allowEval()

Bare in mind the following if you do add this: Note: Both 'unsafe-inline' and 'unsafe-eval' are unsafe and can open your web site up to cross-site scripting vulnerabilities.

[aladine]

@roelvan Great, it actually a work around