Webpack compiled bundle includes Function() eval which chrome extensions does not allow

[eyalw]

Hi,

my webpack build output a javascript that uses Funciton("") evaluating. Chrome extensions security policy does not allow that:

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:".

Is there a way to use webpack without it outputting unsafe expressions like this?

e.g. Angular has a configuration to disable features that use unsafe eval:
https://docs.angularjs.org/api/ng/directive/ngCsp

[aackerman]

Can you post your webpack config? This is probably result of a plugin or devtool behavior.

[bebraw]

@eyalw Any update? Having a runnable example would help.

[eyalw]

@bebraw it seems the eval code was related to React, not Webpack.
we can close this issue.

sorry for the hassle.

[samkelleher]

@eyalw Where did you find the issue on React? I can't locate it. Also seeing the same unsafe-eval error using React+Webpack and trying to track down the issue.

[ORESoftware]

I need help with this

when I used ng build --prod the problem goes away...but when I use ng build I get the eval related code. Does anyone know a setting I can use with Angular apps to turn off the unsafe code in development?