This is not a supported setting, as it would cripple the software and make many key features impossible.
It is also a useless setting, as there are many other ways of doing an unsafe eval() without calling the eval function per se.
If you believe the framework contains any unsafe evals, please submit a test case showing how they can be exploited.
Announcement
Collapse
No announcement yet.
X
-
Content Security Policy -unsafe eval
HI,
We have a requirement where we want to remove "unsafe-eval" from CSP header for security concerns. On removing unsafe-eval from "script-src" directive in CSP header, isomorphic code breaks in ISC_Core.js because we are using new Function() in that file. Do we have support in isomorphic to achieve the same?Tags: None
Leave a comment: