link之家

链接快照平台

输入网页链接，自动生成快照
标签化管理网页链接

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Learn more about Collectives

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script Content Security Policy directive:default-src self

Ask Question

In my application, I want Content Security Policy: all directives should be set to self, but when I am trying to do that it is showing the following error

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self';".

at Function (<anonymous>)
at Function._init (yui_combo.php?rollup/3.17.2/yui-moodlesimple-min.js:8:3195)
at yui_combo.php?rollup/3.17.2/yui-moodlesimple-min.js:9:4331
at yui_combo.php?rollup/3.17.2/yui-moodlesimple-min.js:9:4558
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-BfUVqxUMiFIZGvtAvlU3O1tTN9idUT5IuAIpMSM2F5g='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&display=swap' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
The content security policy must have this directive:
default-src 'self';
script-src 'self' 'unsafe-eval'; 
style-src 'self' fonts.googleapis.com;
and more.
                It is OK if you understand the risks, its a trade-of, if you can't change your application. You simply either add it or rewrite your application so it doesn't break your policy. So, the question is then , what is your question?
– Tore Nestenius
                May 25, 2022 at 12:30
                I am using Moodle in which by default yui-combo.php is already present. During VAPT (security testing)  it was observed that below mentioned HTTP Headers were not set: 1. Strict-Transport-Security: max-age=16070400; includeSubDomains 2. X-Frame-Options, Frame-Options X-Frame-Options: deny 3. X-XSS-Protection: 1; mode=block 4. X-Content-Type-Options: nosniff 5. Content Security Policy: all directives should be set to self 'unsafe-eval' and 'unsafe-inline' should not be included in CSP. All four are done but for 5th point i am getting this errors.
– Sunny Adhatrao
                May 26, 2022 at 7:26
                To comply with a policy that only allows default-src 'self', then you need to rewrite your pages and HTML so that it only loads resources from your own site and not any external requests like fonts.googleapis.com.  But in reality, most sites using CSP will allow some domains like fonts.googleapis.com, as a compromise. It is a trade-of between security, what is practical and cost to rewrite your application/site to comply with the policy...
– Tore Nestenius
                May 26, 2022 at 10:47
                Download and add the file locally to your site: fonts.googleapis.com/…' or accept and trust fonts.googleapis.com?
– Tore Nestenius
                May 26, 2022 at 12:43
If you are using helmet on your Node.JS server, you can configure the following:
server.use(helmet({
    contentSecurityPolicy: false
Or you can configure the following to whitelist a specific domain:
server.use(
  helmet.contentSecurityPolicy({
    directives: {
      "script-src": ["'self'", "example.com"],
      "style-src": null,
I got the same error when I tried to create a Chrome extension.
Anyway, let me tell you why this error occurred.
Here is some point.
The error message indicates that the CSP does not allow the use of 'unsafe-eval' as a source of the script.
However, this means that you cannot use the eval() method/function in your extension code.
So now, let's see how we can fix this issue..!
We can modify the CSP of your extension to allow 'unsafe-eval'. To do this, we need to add the following line to our manifest.json file.
In the below section. If you are using manifest V2 then use this line.
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
Or If you are using manifest V3 then you have to use this line.
"content_security_policy": {
    "extension_pages": "script-src 'self' 'unsafe-eval'; object-src 'self'"
                ...and, in MV3, you'll get this error: 'content_security_policy.extension_pages': Insecure CSP value "'unsafe-eval'" in directive 'script-src' and the extension is not loaded. Wrong way, sorry.
– radiolondra
                Apr 30 at 17:06
        Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.