Vue - unsafe eval?

See original GitHub issue

The HUD isnt working for me any more (Firefox 58.0.2) 😦 I’m getting this error in the console: Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://zap”). Source: call to eval() or related function blocked by CSP. And it links to this section of vue.js:

      // detect possible CSP restriction
      try {
        new Function('return 1');
      } catch (e) {
        if (e.toString().match(/unsafe-eval|CSP/)) {
          warn$$1(
            'It seems you are using the standalone build of Vue.js in an ' +
            'environment with Content Security Policy that prohibits unsafe-eval. ' +
            'The template compiler cannot work in this environment. Consider ' +
            'relaxing the policy to allow unsafe-eval or pre-compiling your ' +
            'templates into render functions.'
          );
        }
      }

Is anyone else seeing this? We really dont want to have to enable unsafe-eval 😦(

Issue Analytics

State:
Created 6 years ago
Comments:11 (6 by maintainers)

Top GitHub Comments

1reaction

dscroboniacommented, Mar 8, 2018

Also here’s a google doc where I’m compiling my notes on all this. (I forget way too easily) https://docs.google.com/document/d/1vNJEyuYNWK6FF-9VAGuXhiJXPwFr1iVQ8WL8gD25PGw/edit?usp=sharing

0reactions

psiinoncommented, Mar 15, 2018

\o/ FYI today I’m going to try to implement a load of ZAP HUD options, including a Development mode and an option to use Unsafe eval to allow inline template compilation…

Top Results From Across the Web

How to fix "unsafe-eval" error with Vue3 for the client-side ...

'unsafe-eval' is only needed for the full version of VueJS; the runtime version doesn't need it. See details here. The runtime-only build is ......

Unsafe-eval in Vue 3

Hello,. I am working on a SPA using vue3 that is built using the vue-cli. ... So, basically you enforce your website to...

Refused to evaluate a string as JavaScript because 'unsafe ...

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following ...

CSP in Vue.JS

5, Evading defences using VueJS script gadgets original at portswigger.net ; 6, vuejs doesn't work without unsafe-eval in Directive::SCRIPT ; 7, VueJS XSS...

Vue.js 3 extension breaks while using "vue-cli-service build ...

using Single File Components and default vue-cli config is ok as it will indeed just need vue runtime, so no unsolicited unsafe-eval; webpack...