[wp-trac] [WordPress Trac] #49812: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'".

WordPress Trac noreply at wordpress.org
Sat Apr 4 18:33:34 UTC 2020 

#49812: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval'
is not an allowed source of script in the following Content Security Policy
directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'".
-------------------------------+-----------------------------
 Reporter:  anvme              |      Owner:  (none)
     Type:  defect (bug)       |     Status:  new
 Priority:  normal             |  Milestone:  Awaiting Review
Component:  Posts, Post Types  |    Version:  5.4
 Severity:  major              |   Keywords:  needs-patch
  Focuses:                     |
-------------------------------+-----------------------------
 We got a problem =(
 Clean wp installation.
 Pages
 /wp-admin/post-new.php
 /wp-admin/post.php?post=1&action=edit

 Server configuration: NGINX + PHP-FPM
 I have a security file
 /etc/nginx/blog.anv.me/security.conf
 ...
 add_header Content-Security-Policy "default-src 'self' http: https: data:
 blob: 'unsafe-inline'" always;
 ...
 Content Security Policy is an effective measure to protect my blog from
 XSS attacks.

 Console log
 {{{
 [Error] EvalError: Refused to evaluate a string as JavaScript because
 'unsafe-eval' is not an allowed source of script in the following Content
 Security Policy directive: "default-src 'self' http: https: data: blob:
 'unsafe-inline'".

         Function (data.js:161)
         (anonymous function) (data.js:161)
         combineReducers (data.js:162)
         (anonymous function) (blocks.js:6146:95)
         __webpack_require__ (blocks.js:21)
         (anonymous function) (blocks.js:85)
         Global Code (blocks.js:86)
 [Error] TypeError: undefined is not an object (evaluating
 'wp.blocks.setCategories')
         Global Code (post-new.php:1673)
 [Error] EvalError: Refused to evaluate a string as JavaScript because
 'unsafe-eval' is not an allowed source of script in the following Content
 Security Policy directive: "default-src 'self' http: https: data: blob:
 'unsafe-inline'".

         Function (data.js:161)
         (anonymous function) (data.js:161)
         combineReducers (data.js:162)
         (anonymous function) (rich-text.js:761:95)
         __webpack_require__ (rich-text.js:21)
         (anonymous function) (rich-text.js:85)
         Global Code (rich-text.js:86)
 [Error] EvalError: Refused to evaluate a string as JavaScript because
 'unsafe-eval' is not an allowed source of script in the following Content
 Security Policy directive: "default-src 'self' http: https: data: blob:
 'unsafe-inline'".

         Function (data.js:161)
         (anonymous function) (data.js:161)
         combineReducers (data.js:162)
         createReduxStore (data.js:1722)
         createNamespace (data.js:1611)
         (anonymous function) (data.js:2240)
         (anonymous function) (keyboard-shortcuts.js:853:91)
         __webpack_require__ (keyboard-shortcuts.js:21)
         (anonymous function) (keyboard-shortcuts.js:85)
         Global Code (keyboard-shortcuts.js:86)
 [Error] EvalError: Refused to evaluate a string as JavaScript because
 'unsafe-eval' is not an allowed source of script in the following Content
 Security Policy directive: "default-src 'self' http: https: data: blob:
 'unsafe-inline'".

         Function (data.js:161)
         (anonymous function) (data.js:161)
         combineReducers (data.js:162)
         createReduxStore (data.js:1722)
         createNamespace (data.js:1611)
         (anonymous function) (data.js:2240)
         (anonymous function) (viewport.js:340:91)
         __webpack_require__ (viewport.js:21)
         (anonymous function) (viewport.js:85)
         Global Code (viewport.js:86)
 [Error] EvalError: Refused to evaluate a string as JavaScript because
 'unsafe-eval' is not an allowed source of script in the following Content
 Security Policy directive: "default-src 'self' http: https: data: blob:
 'unsafe-inline'".

         Function (data.js:161)
         (anonymous function) (data.js:161)
         combineReducers (data.js:162)
         (anonymous function) (lodash.js:5115)
         (anonymous function) (block-editor.js:9447)
         __webpack_require__ (block-editor.js:21)
         (anonymous function) (block-editor.js:85)
         Global Code (block-editor.js:86)
 [Error] EvalError: Refused to evaluate a string as JavaScript because
 'unsafe-eval' is not an allowed source of script in the following Content
 Security Policy directive: "default-src 'self' http: https: data: blob:
 'unsafe-inline'".

         Function (data.js:161)
         (anonymous function) (data.js:161)
         combineReducers (data.js:162)
         (anonymous function) (core-data.js:2233:108)
         __webpack_require__ (core-data.js:21)
         (anonymous function) (core-data.js:85)
         Global Code (core-data.js:86)
 [Error] TypeError: undefined is not an object (evaluating
 'external_this_wp_blockEditor_["withFontSizes"]')
         (anonymous function) (block-library.js:3388:104)
         __webpack_require__ (block-library.js:21)
         (anonymous function) (block-library.js:85)
         Global Code (block-library.js:86)
 [Error] EvalError: Refused to evaluate a string as JavaScript because
 'unsafe-eval' is not an allowed source of script in the following Content
 Security Policy directive: "default-src 'self' http: https: data: blob:
 'unsafe-inline'".

         Function (data.js:161)
         (anonymous function) (data.js:161)
         combineReducers (data.js:162)
         createReduxStore (data.js:1722)
         createNamespace (data.js:1611)
         (anonymous function) (data.js:2240)
         (anonymous function) (notices.js:548:91)
         __webpack_require__ (notices.js:21)
         (anonymous function) (notices.js:85)
         Global Code (notices.js:86)
 [Error] TypeError: undefined is not an object (evaluating
 'external_this_wp_blockEditor_["SETTINGS_DEFAULTS"]')
         (anonymous function) (editor.js:2095)
         __webpack_require__ (editor.js:21)
         (anonymous function) (editor.js:85)
         Global Code (editor.js:86)
 [Error] EvalError: Refused to evaluate a string as JavaScript because
 'unsafe-eval' is not an allowed source of script in the following Content
 Security Policy directive: "default-src 'self' http: https: data: blob:
 'unsafe-inline'".

         Function (data.js:161)
         (anonymous function) (data.js:161)
         combineReducers (data.js:162)
         (anonymous function) (lodash.js:5115)
         (anonymous function) (edit-post.js:1491:148)
         __webpack_require__ (edit-post.js:21)
         (anonymous function) (edit-post.js:85)
         Global Code (edit-post.js:86)
 [Error] TypeError: undefined is not an object (evaluating
 'external_this_wp_richText_["registerFormatType"]')
         (anonymous function) (format-library.js:1897)
         forEach
         (anonymous function) (format-library.js:1893)
         __webpack_require__ (format-library.js:21)
         (anonymous function) (format-library.js:85)
         Global Code (format-library.js:86)
 [Error] TypeError: undefined is not an object (evaluating
 'wp.editPost.initializeEditor')
         (anonymous function) (post-new.php:1827)
 [Error] TypeError: undefined is not an object (evaluating
 'wp.blocks.unregisterBlockStyle')
         (anonymous function) (editor-script-block.js:8)
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/49812>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list