2

Google console in tests via Firebase Robo test shows an exception.

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src https://abs.twimg.com https://abs-0.twimg.com https://twitter.com https://mobile.twitter.com"

but in setting of WebView settings JS is enabled.

WebSettings settings = webview.getSettings();
settings.setJavaScriptEnabled(true);
webview.setWebChromeClient(new WebChromeClient());
settings.setSupportMultipleWindows(true);
settings.setDomStorageEnabled(true);

the same exception if put in the header

headers.put("Content-Security-Policy", "script-src 'self' 'unsafe-inline' 'unsafe-eval'");
Slava
  • 443
  • 4
  • 12
  • 1
    Yes, JS is enabled, but you have a deal with Content Security Policy, it graded JS constructions onto "inline" and "eval" by safiety. You have to allow `'unsafe-eval'` in CSP if you wish to use `eval()` / `Function()` or other [eval-expressions](https://csplite.com/csp148/#eval_script-src). But that's reduses CSP protection. – granty May 28 '21 at 06:49
  • 1
    Can I set unsafe-eval in setting options for webview? – Slava May 28 '21 at 10:33
  • 1
    CSP in the webview is set in the meta tag, like [here](https://stackoverflow.com/questions/38277526/webview-content-security-policy/40412110#40412110) for `img-src`. 'unsafe-eval' sholud be added into `script-src` directive. – granty May 28 '21 at 12:39
  • 1
    webview.loadData(meta_tag, "text/html", "utf-8"); is this correct, or i should insert meta tag in another place? – Slava May 28 '21 at 14:09
  • 1
    1. The `` meta tag should be inside the `` tag in the HTML page. otherwise it does not work. 2. You already have such meta tag with content `... script-src https://abs.twimg.com https://abs-0.twimg.com https://twitter.com https://mobile.twitter.com ...` as it follows from a CSP violation in the console. Just add `'unsafe-inline'` into `script-src` source list. 3. `headers.put()` adds custom **request** HTTP headers, but CSP is a **response** HTTP header. – granty May 28 '21 at 21:55

0 Answers0