Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[BUG] formio.js requires unsafe-eval tag to operate
See original GitHub issueEnvironment
Please provide as many details as you can:
Adding CSP headers will raise an error and forms won’t render:
Which refers to: https://github.com/EventEmitter2/EventEmitter2/blob/master/lib/eventemitter2.js#L306
- Hosting type
- Form.io
- Local deployment
- Version: Nginx 1.7.8
- Formio.js version: 4.9.26
- Vue-Formio version: 4.0.2
- Frontend framework: VueJS 2.6.11
- Browser: Chrome
- Browser version: 81.0.4044.138
Steps to Reproduce
- Apply CSP headers without
unsafe-evaltag - Run the environment
Expected behavior
I guess formio should work without unsafe-eval tag.
Observed behavior
It does not.
So, I just wonder if this is fixable by using some other library.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:2
- Comments:18 (18 by maintainers)
Top Results From Across the Web
Developers - [BUG] formio.js requires unsafe-eval tag to operate -
Expected behavior. I guess formio should work without unsafe-eval tag. Observed behavior. It does not. So, I just wonder if this is fixable...
Read more >formio/formio - Gitter
I've seen one post about this issue on the formio/formio.js#1321 and I'm trying ... with vue-formio / formiojs where eventemitter2 triggers CSP unsafe-eval...
Read more >CSP: How to allow unsafe-eval for a given URI prefix (Firefox)
There're multiple issues: The Content-Security-Policy (CSP) header does not work this way. CSP only has granularity of a single host+port ...
Read more >Form Evaluations - Form.io Documentation
Within the renderer and builder code, it is possible write custom snippets of JavaScript to perform custom actions that would otherwise be difficult...
Read more >formiojs | Yarn - Package Manager
formiojs. owner formio189.4kMIT4.14.10TS vulns 0 vulnerabilities. Common js library for client side interaction with <form.io> ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
The 5.x branch is under development now but has a lot more features to be completed first. We are looking at around the end of the year for a release of it.
You can turn off unsafe-eval for a web page and most of the form.io functionality will still work. There are some places where you can write custom javascript (such as default values and custom conditionals) that will not work if you do that but the system is designed to degrade gracefully and just not execute the javascript if that is the case.
We are finishing up some new functionality in the next major version that will allow configuring almost any contitional, validation and other functionality without needing to write any javascript. This should nearly completely remove the need for eval at all.