Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

MessageFormat transpiler throws 'unsafe-eval' when activating CSP

See original GitHub issue

After activating CSP for my app I get the following error:

ERROR EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".

    at new Function (<anonymous>)
    at t.value (main-es2015.cb51f3636f796a68c875.js:formatted:3091)
    at transpile (main-es2015.cb51f3636f796a68c875.js:formatted:63482)
    at translate (main-es2015.cb51f3636f796a68c875.js:formatted:34366)
    at t.updateValue (main-es2015.cb51f3636f796a68c875.js:formatted:34679)
    at u._next (main-es2015.cb51f3636f796a68c875.js:formatted:34670)
    at u.__tryOrUnsub (main-es2015.cb51f3636f796a68c875.js:formatted:10670)
    at u.next (main-es2015.cb51f3636f796a68c875.js:formatted:10633)
    at l._next (main-es2015.cb51f3636f796a68c875.js:formatted:10593)
    at l.next (main-es2015.cb51f3636f796a68c875.js:formatted:10578)

Is it really necessary for transloco to use eval in production bundles? Or is there something wrong with the configuration of my app?

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:9 (3 by maintainers)

github_iconTop GitHub Comments

2reactions
k3nseicommented, Oct 30, 2020

@ftischler so the best option is to create an issue in messageformat github repository and link it here. Also it worth to report package on its npm page to mark those versions as risky.

Edited: There is already such an issue https://github.com/messageformat/messageformat/issues/180 created. They are recommending usage of https://formatjs.io/docs/intl-messageformat/ as a replacment.

1reaction
ftischlercommented, Oct 30, 2020

@k3nsei messageformat.transpiler.ts imports the node_module messageformat which uses eval here at line 197 and many others as well.

Can I do something to get rid of this? I would like to remove ‘unsafe-eval’ from my CSP as quick as possible. Thank you 😊

Read more comments on GitHub >

github_iconTop Results From Across the Web

Update to angular 12 gives CSP unsafe-eval error in chrome ...
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'".
Read more >
Reactive Extensions (Rx) – Part 7 - Muhammad Rehan Saeed
I was talking to a colleague yesterday who had been using standard C# events in WPF (The principals learned in this post can...
Read more >
https://patch-diff.githubusercontent.com/raw/vuejs...
toString().match(/unsafe-eval|CSP/)) { + warn$$1( + 'It seems you are using the standalone build of Vue.js in an ' + + 'environment with Content...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Is it possible to share a common library with its translation to all other libraries and apps with NX?

Next page

Having transloco-root.module confuses Angular CLI generator