CODEWITHSUNDEEP
handlebars.jscontent-security-policyunsafe-evalscript-srcunsafe-inline
amir kat
amir kat

Reputation: 11

unsafe-eval in the handlebar.min.js

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".

I facing an error while loading handlebar.min.js with the HTTP header, Content-Security-Policy as script-src 'self' 'unsafe-inline'.

I don't want to use 'unsafe-eval' in the script-src, Where handlebar.min.js requires unsafe-eval to proceed

Seems the below functions used by js which required unsafe-eval to run

>> f(Function.call,k)

>> Function.apply(this,["fn","props","container","depth0","data","blockParams","depths",this.decorators.merge()])

>> Function.apply(this,f))

I'm using the latest version of js (version 4.7.8)

https://s3.amazonaws.com/builds.handlebarsjs.com/handlebars.min-v4.7.8.js

After giving the HTTP Header, Content-Security-Policy as script-src 'self' 'unsafe-inline' 'unsafe-eval' it works. But I need to remove unsafe-eval here

Upvotes: 1

Views: 351

Answers (1)

Rana sharjeel Ali
Rana sharjeel Ali

Reputation: 107

Re-check handlebar installation.

npm list handlebars

if not installed do install handlebars

npm install -g handlebars

also instead of doing runtime compilation do pre pre-compilation

handlebars template.hbs -f template.js

you can temporarily relax your CSP. However, this should not be done in production due to security risks

Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval';

Upvotes: -1

Related Questions