0

I have around 50+ files in which eval() function is used. Most of it are JS libraries such as jquery, datepicker, thickbox, buttons, timepicker. How can I fix this?

I tried strict CSP, but it stops jquery, website layouts gets changed, and some functionalities stopped working.

This is what I have:

header(
  "Content-Security-Policy: upgrade-insecure-requests; default-src 'self' 'unsafe-inline';  " .
  "object-src 'none'; ".
  "style-src 'self' 'unsafe-inline' fonts.googleapis.com *".str_replace('www','', $_SERVER['HTTP_HOST'])."; ".
  "script-src  'self'  'nonce-".$_SESSION['token_csp']."' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/  https://www.gstatic.com/recaptcha/ https://www.googletagmanager.com/gtag/; " .
  "font-src 'self' 'unsafe-inline'  fonts.gstatic.com ; " .
  "frame-src 'self' 'unsafe-inline' 'unsafe-eval' data: https://www.google.com/  *.youtube.com *.youtube-nocookie.com; " .
  "img-src https: data:; " .
  "base-uri 'self'; ".
  "form-action 'self'; ".
  "child-src 'self'; ".
  "media-src *.google.com *.youtube.com; ".
  "frame-ancestors 'none'; ".
  "connect-src *; "
    // "report-uri https://3c72f406c71f6c7c8e8f8dff8658bd09.report-uri.com/r/d/csp/enforce; "
);
Tugrul Ates
  • 9,451
  • 2
  • 33
  • 59
Divyesh
  • 39
  • 9
  • The point of the stricter CSP is to eliminate all uses of `eval`. That can be only be achieved by rewriting all your code to not use `eval`. – Tugrul Ates Oct 29 '22 at 19:40
  • Please see https://stackoverflow.com/questions/37155270/content-security-policy-csp-safe-usage-of-unsafe-eval – Tugrul Ates Oct 29 '22 at 19:40

0 Answers0