Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

bug: Ionic Core using unsafe eval now allowed by strict CSP

See original GitHub issue

Bug Report

Ionic version:

[x] 4.x

Current behavior:

The ionic.core.js files, as well as ionicons.core.js files use the line new Function(“w”,“return class extends w.HTMLElement{}”) which causes EvalError: Refused to evaluate a string as JavaScript because ‘unsafe-eval’ is not an allowed source of script in the following Content Security Policy directive: “script-src”

This looks like it comes from ES5 backwards compatibility. There should be an option to not include ES5 if needed. There is the option in the angular.json, but that doesn’t seem to work to remove this "es5BrowserSupport": false

Expected behavior:

All unsafe evals should be removed to allow ionic to run in environments with strict CSP.

Steps to reproduce:

Generate a new ionic application

Related code:

var e;
            ! function r(n) {
              return /\{\s*\[native code\]\s*\}/.test("" + n)
            }(n.customElements.define) ? (e = function(t) {
              return n.HTMLElement.call(this, t)
            }).prototype = Object.create(n.HTMLElement.prototype, {
              constructor: {
                value: e,
                configurable: !0
              }
            }): e = new Function("w", "return class extends w.HTMLElement{}")(n), U[s].u(function i(n) {
              var t = C(n),
                e = t.s,
                r = d(n[0]);
              return t.s = function(n) {
                var t = n.mode,
                  i = n.scoped;
                return function o(n, t, e) {
                  return __webpack_require__("./node_modules/@ionic/core/dist/esm/es5/build lazy recursive ^\\.\\/.*\\.entry\\.js$ include: \\.entry\\.js$")("./" + n + (t ? ".sc" : "") + ".entry.js").then(function(n) {
                    return n[e]
                  })
                }("string" == typeof e ? e : e[t], i, r)
              }, t
            }(t), e)

Other information:

Ionic info:

Ionic:

   ionic (Ionic CLI)             : 4.12.0 (C:\Users\billy\AppData\Roaming\npm\node_modules\ionic)
   Ionic Framework               : @ionic/angular 4.4.0
   @angular-devkit/build-angular : 0.13.9
   @angular-devkit/schematics    : 7.3.9
   @angular/cli                  : 7.3.9
   @ionic/angular-toolkit        : 1.5.1

Cordova:

   cordova (Cordova CLI) : 9.0.0 (cordova-lib@9.0.1)
   Cordova Platforms     : none
   Cordova Plugins       : not available

System:

   NodeJS : v10.15.3 (C:\Program Files\nodejs\node.exe)
   npm    : 6.4.1
   OS     : Windows 10

Issue Analytics

State:
Created 4 years ago
Reactions:3
Comments:5 (2 by maintainers)

Top GitHub Comments

1reaction

liamdebeasicommented, May 14, 2019

Hi there,

Thanks for the issue. We are aware of this issue, and this is something that will be fixed in our upcoming Stencil refactor.

I will keep this issue open until Ionic has been updated with the latest Stencil update.

Thanks!

0reactions

ionitron-bot[bot]commented, May 2, 2020

Thanks for the issue! This issue is being locked to prevent comments that are not relevant to the original issue. If this is still an issue with the latest version of Ionic, please create a new issue and ensure the template is fully filled out.