Source: call to eval() or related function blocked by CSP

Question

I am receiving the following error:

Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src”). Source: call to eval() or related function blocked by CSP.

The site is running Laravel, but I have introduced a simple index.html to rule out that possibility:

<!DOCTYPE html>
<html lang="en">
<head>
</head>
<body>
</body>
</html>

Which gives thew same error.

Here is the relevant code from httpd.conf

httpd-2.4.6-80.el7.centos.1.x86_64

<IfModule mod_headers.c>
  <Directory />
    Header always set X-XSS-Protection "1; mode=block"
    Header always set x-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Header always set Content-Security-Policy "default-src 'self' *.pusher.com; img-src 'self'; style-src *.fontawesome.com https://fonts.gstatic.com https://fonts.googleapis.com; font-src *.fontawesome.com https://fonts.gstatic.com;"
    Header always set Referrer-Policy "strict-origin"
  </Directory>

I have also attempted using my domain default-src *.domain.com; with the same result

EDIT: Is this what you mean? This is a 'view source' of the `index.html as the server sees it, with the error as shown when viewing that page via the browser. Also since the site is locked to only a handful of IP addresses, i would find it very odd if something is being injected

Answer 1

Problem solved - Thank you sideshowbarker

It was a plugin, Vue.js devtools to be specific

I hadn't even thought a plugin could do that.

I am curious now though as to how to notify a user if a plugin causes that issue in the future