Unsafe Eval and Content Security Policy

Welcome to our new AbleCommerce forums. As a guest, you may view the information here. To post to this forum, you must have a registered account with us, either as a new user evaluating AbleCommerce or an existing user of the application. For all questions related to the older version of Gold and earlier, please go to AbleCommerce Gold forum. Please use your AbleCommerce username and password to Login. New Registrations are disabled.

Notification

Error

Unsafe Eval and Content Security Policy

Options

Previous Topic Next Topic

judy at Web2Market		#1 Posted : Wednesday, May 17, 2023 7:21:34 AM(UTC)
Rank: Advanced Member Groups: Developers Joined: 11/7/2018(UTC) Posts: 289 Thanks: 21 times Was thanked: 5 time(s) in 5 post(s)		We have a site who's owning company requires strict CSP policy. Through much suffering, I was able to fix most of the issues with nWebSec and re-writing inline events, like "OnClicK" with event listeners. The thing that still eludes me is unsafe eval in a couple of places because of jquery.unobtrusive.js, like in the Quick View popup. The CSP warning shows the following and please don't tell me to allow unsafe eval or strict dynamic in the CSP because the parent company won't allow it. (Sorry attach file didn't work) ve-ajax.js:36 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'nonce-2ho1DxG32tYCgDuwutMG8Wn8' 'sha256-U9sublM/KmPL6ESqoLu3fefvZe19GRJl8tSMa6Ke3KE=' 'sha256-5MzPUN77xfAJRVSk5QAp4SYYEPQws8FhP1iN/kk1KSs=' 'sha256-98xBbPOa/A/oeOsS3ew1VkUxqjP1kSVMpTJWUCyS2RM=' 'sha256-nG6S0S5vCLDM+JZRuNqcW2eaD2SbcxF68QN2em60YU8=' at Function (<anonymous>) at getFunction (jquery.unobtrusive-ajax.js:36:37) at Object.success (jquery.unobtrusive-ajax.js:107:17) at fire (jquery-3.6.0.js:3507:31) at Object.fireWith [as resolveWith] (jquery-3.6.0.js:3637:7) at done (jquery-3.6.0.js:9803:14) at XMLHttpRequest.<anonymous> (jquery-3.6.0.js:10064:9) getFunction @ jquery.unobtrusiv The line in jquery.unobtrusive is return Function.constructor.apply(null, argNames); I have found these posts, but I don't understand what they mean to do with noop https://github.com/aspne...ax-unobtrusive/issues/49 I had put their "possible fix" in and it didn't help function getFunction(code, argNames) { if (!code) return function() { return null; }; The other code with disableeval.js just blocked the code from working at all. I also tried using solutions on this post https://cezarypiatek.git...g-with-unobtrusive-ajax/ When I got down to the part that said "Unfortunately, this solution has few drawbacks which can materialize in certain use cases" and stopped because I didn't want to cause issues on the site. I couldn't understand what he was saying after that about global ajax event handlers. Can anyone interpret how to implement that? Thanks


User Profile View All Posts by User View Thanks


	Wanna join the discussion?! Login to your AbleCommerce Forums forum account. New Registrations are disabled.

Users browsing this topic
Guest (2)

Forum Jump

You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Privacy Policy | Powered by YAF.NET 2.2.4.14 | YAF.NET © 2003-2024, Yet Another Forum.NET
This page was generated in 0.074 seconds.

Important Information: The AbleCommerce Forums uses cookies. By continuing to browse this site, you are agreeing to our use of cookies. More Details Close