Opened 5 years ago
Last modified 4 months ago
#49812 reopened defect (bug)
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'".
Reported by: | anvme | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 6.6.1 |
Component: | Posts, Post Types | Keywords: | |
Focuses: | Cc: |
Description
We got a problem =(
Clean wp installation.
Pages
/wp-admin/post-new.php
/wp-admin/post.php?post=1&action=edit
Server configuration: NGINX + PHP-FPM
I have a security file
/etc/nginx/blog.anv.me/security.conf
...
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
...
Content Security Policy is an effective measure to protect my blog from XSS attacks.
Console log
[Error] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'". Function (data.js:161) (anonymous function) (data.js:161) combineReducers (data.js:162) (anonymous function) (blocks.js:6146:95) __webpack_require__ (blocks.js:21) (anonymous function) (blocks.js:85) Global Code (blocks.js:86) [Error] TypeError: undefined is not an object (evaluating 'wp.blocks.setCategories') Global Code (post-new.php:1673) [Error] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'". Function (data.js:161) (anonymous function) (data.js:161) combineReducers (data.js:162) (anonymous function) (rich-text.js:761:95) __webpack_require__ (rich-text.js:21) (anonymous function) (rich-text.js:85) Global Code (rich-text.js:86) [Error] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'". Function (data.js:161) (anonymous function) (data.js:161) combineReducers (data.js:162) createReduxStore (data.js:1722) createNamespace (data.js:1611) (anonymous function) (data.js:2240) (anonymous function) (keyboard-shortcuts.js:853:91) __webpack_require__ (keyboard-shortcuts.js:21) (anonymous function) (keyboard-shortcuts.js:85) Global Code (keyboard-shortcuts.js:86) [Error] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'". Function (data.js:161) (anonymous function) (data.js:161) combineReducers (data.js:162) createReduxStore (data.js:1722) createNamespace (data.js:1611) (anonymous function) (data.js:2240) (anonymous function) (viewport.js:340:91) __webpack_require__ (viewport.js:21) (anonymous function) (viewport.js:85) Global Code (viewport.js:86) [Error] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'". Function (data.js:161) (anonymous function) (data.js:161) combineReducers (data.js:162) (anonymous function) (lodash.js:5115) (anonymous function) (block-editor.js:9447) __webpack_require__ (block-editor.js:21) (anonymous function) (block-editor.js:85) Global Code (block-editor.js:86) [Error] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'". Function (data.js:161) (anonymous function) (data.js:161) combineReducers (data.js:162) (anonymous function) (core-data.js:2233:108) __webpack_require__ (core-data.js:21) (anonymous function) (core-data.js:85) Global Code (core-data.js:86) [Error] TypeError: undefined is not an object (evaluating 'external_this_wp_blockEditor_["withFontSizes"]') (anonymous function) (block-library.js:3388:104) __webpack_require__ (block-library.js:21) (anonymous function) (block-library.js:85) Global Code (block-library.js:86) [Error] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'". Function (data.js:161) (anonymous function) (data.js:161) combineReducers (data.js:162) createReduxStore (data.js:1722) createNamespace (data.js:1611) (anonymous function) (data.js:2240) (anonymous function) (notices.js:548:91) __webpack_require__ (notices.js:21) (anonymous function) (notices.js:85) Global Code (notices.js:86) [Error] TypeError: undefined is not an object (evaluating 'external_this_wp_blockEditor_["SETTINGS_DEFAULTS"]') (anonymous function) (editor.js:2095) __webpack_require__ (editor.js:21) (anonymous function) (editor.js:85) Global Code (editor.js:86) [Error] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'". Function (data.js:161) (anonymous function) (data.js:161) combineReducers (data.js:162) (anonymous function) (lodash.js:5115) (anonymous function) (edit-post.js:1491:148) __webpack_require__ (edit-post.js:21) (anonymous function) (edit-post.js:85) Global Code (edit-post.js:86) [Error] TypeError: undefined is not an object (evaluating 'external_this_wp_richText_["registerFormatType"]') (anonymous function) (format-library.js:1897) forEach (anonymous function) (format-library.js:1893) __webpack_require__ (format-library.js:21) (anonymous function) (format-library.js:85) Global Code (format-library.js:86) [Error] TypeError: undefined is not an object (evaluating 'wp.editPost.initializeEditor') (anonymous function) (post-new.php:1827) [Error] TypeError: undefined is not an object (evaluating 'wp.blocks.unregisterBlockStyle') (anonymous function) (editor-script-block.js:8)
Change History (3)
#1
@
5 years ago
- Keywords needs-patch removed
- Milestone Awaiting Review deleted
- Resolution set to duplicate
- Severity changed from major to normal
- Status changed from new to closed
- Version 5.4 deleted
#2
@
4 years ago
- Resolution duplicate deleted
- Status changed from closed to reopened
I am having this error when clicking on theme customization.
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'".
how can I resolve it?
#3
@
4 months ago
- Version set to 6.6.1
I am also experiencing a similar issue with the WordPress core file: https://github.com/WordPress/WordPress/blob/master/wp-includes/js/tw-sack.js which uses the JavaScript eval() function, which is blocked when not using 'unsafe-eval' in the Content Security Policy.
This seems like a big security hole, if we have to add 'unsafe-eval' to the CSP.
Is this going to be fixed anytime soon?
Hello @anvme, welcome to WordPress Trac!
Thanks for your report. This is a known issue which is being tracked in #39941.