Unsafe-Eval listed but still blocked #28

binarykitchen · 2014-01-24T01:54:43Z

I have these policies:

    var policy = {
        defaultPolicy: {
            'default-src': [
                "'self'",
                "data:",
                "'unsafe-inline'",
                "'unsafe-eval'"
            ],
            'img-src': [
                "'self'",
                "data:",
                "www.google-analytics.com"
            ],
            'script-src': [
                "'self'",
                "'unsafe-inline'",
                "'unsafe-eval'",
                "www.google-analytics.com"
            ]
        }
    };

    helmet.csp.policy(policy);

    app.use(helmet.csp());

but still, Firefox complains with:

Content Security Policy: The page's settings blocked the loading of a resource: An attempt to call JavaScript from a string (by calling a function like eval) has been blocked

call to eval() or related function blocked by CSP

Huh? I am allowing unsafe-evals here. Can anyone explain?

EvanHahn · 2014-03-28T19:47:53Z

Could you paste what the HTTP header is?

EvanHahn · 2014-04-15T15:22:10Z

I'm going to close this issue because it seems inactive (and is about old code).

binarykitchen · 2014-04-15T23:09:01Z

Right, it is working fine now. Sorry for not replying earlier ...

EvanHahn closed this as completed Apr 15, 2014

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unsafe-Eval listed but still blocked #28

Unsafe-Eval listed but still blocked #28

binarykitchen commented Jan 24, 2014

EvanHahn commented Mar 28, 2014

EvanHahn commented Apr 15, 2014

binarykitchen commented Apr 15, 2014

Unsafe-Eval listed but still blocked #28

Unsafe-Eval listed but still blocked #28

Comments

binarykitchen commented Jan 24, 2014

EvanHahn commented Mar 28, 2014

EvanHahn commented Apr 15, 2014

binarykitchen commented Apr 15, 2014