Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Vue - unsafe eval?

See original GitHub issue

The HUD isnt working for me any more (Firefox 58.0.2) 😦 I’m getting this error in the console: Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://zap”). Source: call to eval() or related function blocked by CSP. And it links to this section of vue.js:

      // detect possible CSP restriction
      try {
        new Function('return 1');
      } catch (e) {
        if (e.toString().match(/unsafe-eval|CSP/)) {
          warn$$1(
            'It seems you are using the standalone build of Vue.js in an ' +
            'environment with Content Security Policy that prohibits unsafe-eval. ' +
            'The template compiler cannot work in this environment. Consider ' +
            'relaxing the policy to allow unsafe-eval or pre-compiling your ' +
            'templates into render functions.'
          );
        }
      }

Is anyone else seeing this? We really dont want to have to enable unsafe-eval 😦(

Issue Analytics

State:
Created 6 years ago
Comments:11 (6 by maintainers)

Top GitHub Comments

1reaction

dscroboniacommented, Mar 8, 2018

Also here’s a google doc where I’m compiling my notes on all this. (I forget way too easily) https://docs.google.com/document/d/1vNJEyuYNWK6FF-9VAGuXhiJXPwFr1iVQ8WL8gD25PGw/edit?usp=sharing

0reactions

psiinoncommented, Mar 15, 2018

\o/ FYI today I’m going to try to implement a load of ZAP HUD options, including a Development mode and an option to use Unsafe eval to allow inline template compilation…

Top Results From Across the Web

How to fix "unsafe-eval" error with Vue3 for the client-side ...

'unsafe-eval' is only needed for the full version of VueJS; the runtime version doesn't need it. See details here. The runtime-only build is ......

Unsafe-eval in Vue 3

Hello,. I am working on a SPA using vue3 that is built using the vue-cli. ... So, basically you enforce your website to...

Refused to evaluate a string as JavaScript because 'unsafe ...

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following ...

CSP in Vue.JS

5, Evading defences using VueJS script gadgets original at portswigger.net ; 6, vuejs doesn't work without unsafe-eval in Directive::SCRIPT ; 7, VueJS XSS...

Vue.js 3 extension breaks while using "vue-cli-service build ...

using Single File Components and default vue-cli config is ok as it will indeed just need vue runtime, so no unsolicited unsafe-eval; webpack...