Getting error "org.openqa.selenium.JavascriptException: javascript error: eval is disabled" while trying to do accessibility testing using Axe-Core

Question

I am trying to do accessibility testing using Axe-Core tool using Java as the Programming language. I was able to get the result from many pages in my application but for one of the page, I am getting error as

 org.openqa.selenium.JavascriptException: javascript error: eval is disabled
(Session info: chrome=81.0.4044.138)
Build info: version: '3.141.59', revision: 'e82be7d358', time: '2018-11-14T08:17:03'
System info: host: 'XXXX', ip: 'XXXX', os.name: 'Windows 10', os.arch: 'amd64', 
os.version: '10.0', java.version: '1.8.0_131'
Driver info: org.openqa.selenium.chrome.ChromeDriver
Capabilities {acceptInsecureCerts: false, browserName: chrome, browserVersion: 81.0.4044.138, chrome: 
{chromedriverVersion: 81.0.4044.138 (8c6c7ba89cc9..., userDataDir: C:\Users\NASEEM~1.AHM\AppDa...}, 
goog:chromeOptions: {debuggerAddress: localhost:52030}, javascriptEnabled: true, 
networkConnectionEnabled: false, pageLoadStrategy: normal, platform: WINDOWS, platformName: WINDOWS, 
proxy: Proxy(), setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, 
pageLoad: 300000, script: 30000}, unhandledPromptBehavior: dismiss and notify, webauthn:virtualAuthenticators: true}
Session ID: cbdfe9de190b8224da1ec675bef90966

I am getting the above error in the code

 JSONObject responseJSON = new AXE.Builder(driver, scriptUrl).analyze(); 

I am getting this error while running the test in Chrome browser. I executed the same code in Firefox browser and there I was able to run it without any issue.

Anything which I should add while running the test? Any Desired Capabilities should I include?

Please suggest.

Answer 1

My suspicion is that you are getting this error as the site you are testing has a content security policy

A Content Security Policy (CSP) allows a website owner to protect their end users by ensuring no malicious third party JS, CSS images etc. are injected into the site. Anything included in the CSP is allowed, anything not included is blocked.

Within a CSP it will block JavaScript eval function, which is required in your programme.

The site owner would have to explicitly allow eval on their site (as it is blocked by default if you have any JS rules in your CSP) by adding unsafe-eval as one of the rules on their CSP.

Taken from the page I linked on CSP:-

'unsafe-eval'

Allows the use of eval() and similar methods for creating code from strings. You must include the single quotes.

The only way you could fix this is by asking the owner of the site to add that to their CSP or by changing whichever function is injecting eval into their site.

If you want another site to test to confirm it is CSP that is blocking your script you can try mine https://klu.io as my CSP is very strict.

Update after conversations

It appears I got the problem correct but not the cause.

This was being caused by the website overriding window.eval to throw an error (basically disabling it). The following fiddle demonstrates this behaviour in it's most basic form.

window.eval = function(){
	   throw new Error("window.eval is disabled");
}

eval(1);

There isn't much you can do at this point without rewriting Axe-Core to not use eval as it obviously injects this into the Window being tested at some point.

The only idea I have (if someone else stumbles across this problem) to fix this would be to replace the offending script with one that has the function that overrides window.eval with a duplicate that has every other function cloned other than the one that blocks the script running. However if they are disabling window.eval then it is highly likely that they are also using a CSP and so you wouldn't be able to inject a script.