CODEWITHSUNDEEP
javascriptgoogle-mapsgoogle-maps-api-3content-security-policy
anthony-dandrea
anthony-dandrea

Reputation: 2813

CSP unsafe-eval using Google Maps API

Getting script-src 'unsafe-eval' error when trying to use Google Maps' API.

<script src="https://maps.googleapis.com/maps/api/js?v=3.exp&sensor=false"></script>

Here's the console error:

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' ' *.gstatic.com *.googleapis.com *.google-analytics.com *.google.com".

You would think Google wouldn't have any unsafe-eval triggers in their libraries. Incase it could be my side my code is below:

js

function initialize() {
    // Create the map.

    var mapOptions = {
        zoom: 4,
        center: new google.maps.LatLng(37.09024, -95.712891),
        mapTypeId: google.maps.MapTypeId.ROADMAP,
        zoomControl: true,
        streetViewControl: false
    };

    var map = new google.maps.Map(document.getElementById('map-canvas'),
        mapOptions);

    google.maps.event.addListener(map, "click", function (e) {

        var marker = new google.maps.Marker({
              draggable: true,
              raiseOnDrag: false,
              map: map,
              position: e.latLng
        });

        var radius = Math.pow(2, (20 - map.getZoom())) * 3;
        if (radius < 100) {
            radius = 100;
        }

        var circle = new google.maps.Circle({
            map: map,
            editable: true,
            radius: radius,
            fillColor: '#0159e5',
            strokeColor: '#0159e5',
            strokeWeight: 1,
            geodesic: true
        });

        circle.bindTo('center', marker, 'position');

        google.maps.event.addListener(circle, 'radius_changed', function() {
            if (circle.getRadius() < 100){
                circle.setRadius(100);
            }
        });

        //Set form fields
        document.getElementById("geo-fence-lat").value = marker.getPosition().lat();
        document.getElementById("geo-fence-long").value = marker.getPosition().lng();
        document.getElementById("geo-fence-radius").value = Math.ceil(radius/100)*100;

        google.maps.event.clearListeners(map, "click");

        addListeners(circle);
    });


}

Any fixes or ideas for GMaps alternatives would be appreciated.

Edit: These are the offending lines in Chrome. Found in maps.gstatic.com maps-api-v3/api/js/21/2/main.js. 

Kh.main = function(a) {
    eval(a)
};
fg("main", {});

function ql(a) {
    return O(eval, k, "window." + a + "()")
}

Upvotes: 1

Views: 4779

Answers (1)

pirxpilot
pirxpilot

Reputation: 1647

Looks like it's been mostly fixed in Google Maps 3.23 - see issue 4201

There are still some instances of eval in the code - like eval('document.namespaces') inside of the try blocks (see: related Closure fix)

Upvotes: 1

Related Questions