Content Security Policy - unsafe eval error. Allowing a specific node_module file : node_modules/aurelia-webpack-plugin/runtime/empty-entry.js

Question

I want to enforce CSP as a security measure in my web application. From the server end , I have set the policy to "allow" self for all of its resources. However there is one particular front end node_module file , which is throwing error as attached below.

The CSP header set is : script-src 'self' 'node_modules/aurelia-webpack-plugin/runtime/empty-entry.js'; script-src-elem 'self'; style-src 'self'; img-src 'self'

Please help , I have been trying to find a solution for more than a week now! Solutions tried:

1. Try the front end to make it ignore this file since it is an empty file. But I am not able to get it to ignore.
2. Trying from server end to bypass this particular file by changing the rules

TIA.

Update: Error message UnCaught EvalError: Refused to evaluate a string as Javascript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'"

at ./node_modules/aurelia-webpack-plugin/runtime/empty-entry.js

Answer 1

The file seems to be allowed to load as it is loaded from the same source and you have allowed script-src 'self'.

The problem seems to be that the code in the file does eval(), new Function(), setInterval() or setTimeout(), which requires 'unsafe-eval' to be allowed. This is strange given that the file should be empty. Your console errer may provide you with a direct link to the offending code.

You could add 'unsafe-eval' to script-src. This would make your CSP less strict, but it is of course a lot better to set "script-src 'self' 'unsafe-eval';" than to not restrict scripts with a CSP at all.