0

I'm using APIDoc to generate API documentation of my NodeJS app. I'm facing problem while serving generated index.html page: Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'". Screenshot of the problem message here How to solve this error ?

I've tried turning off security and sending script-src 'self' in <meta> of this html page. All I need is a working form of this page.

Qamar Zaman
  • 1

1 Answers1

0

You likely have three choices:

  1. Add 'unsafe-eval' to script-src, which will make it work, but you won't get the strictest CSP possible (but a lot better than not having a CSP at all).
  2. If it is your code that includes eval, setInterval, setTimeout or new Function, try to rewrite as suggested here: https://developers.google.com/web/fundamentals/security/csp#eval_too
  3. If the problems appear in third party code, see if it can be replaced in some way.

Adding another CSP in the meta tag won't help. All policies need to pass and you can only make it stricter by adding another policy.

Halvor Sakshaug
  • 2,583
  • 1
  • 6
  • 9
  • Thank you for the answer. This is auto generated document of APIDOC tool. Do you suggest to replace CSP warning causing lines every time we generate the document ? – Qamar Zaman Mar 28 '22 at 06:59
  • I would first ask the question: What is our threat model and is a strict CSP the best security investment with the available resources? If the doc still works you can likely just ignore the fact that errors are thrown. If it is possible to set enable 'unsafe-eval' for just that part or even the entire app, I would do it if I had no other options. Then move on and improve something else in the time you just saved. – Halvor Sakshaug Mar 29 '22 at 07:09
  • We've already implemented security using OAuth, CSP is not used strictly in other portion of the app. – Qamar Zaman Mar 31 '22 at 06:56