[wp-trac] [WordPress Trac] #49812: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'".
WordPress Trac
noreply at wordpress.org
Mon Jul 29 08:28:14 UTC 2024
#49812: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval'
is not an allowed source of script in the following Content Security Policy
directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'".
-------------------------------+-----------------------
Reporter: anvme | Owner: (none)
Type: defect (bug) | Status: reopened
Priority: normal | Milestone:
Component: Posts, Post Types | Version: 6.6.1
Severity: normal | Resolution:
Keywords: | Focuses:
-------------------------------+-----------------------
Changes (by papplebeebf):
* version: => 6.6.1
Comment:
I am also experiencing a similar issue with the WordPress core file:
https://github.com/WordPress/WordPress/blob/master/wp-includes/js/tw-
sack.js which uses the JavaScript eval() function, which is blocked when
not using 'unsafe-eval' in the Content Security Policy.
This seems like a big security hole, if we have to add 'unsafe-eval' to
the CSP.
Is this going to be fixed anytime soon?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/49812#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list