Make WordPress Core

Opened 5 years ago

Last modified 4 months ago

#49812 reopened defect (bug)

EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'".

Reported by: anvme's profile anvme Owned by:
Milestone: Priority: normal
Severity: normal Version: 6.6.1
Component: Posts, Post Types Keywords:
Focuses: Cc:

Description

We got a problem =(
Clean wp installation.
Pages
/wp-admin/post-new.php
/wp-admin/post.php?post=1&action=edit

Server configuration: NGINX + PHP-FPM
I have a security file
/etc/nginx/blog.anv.me/security.conf
...
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
...
Content Security Policy is an effective measure to protect my blog from XSS attacks.

Console log

[Error] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'".

	Function (data.js:161)
	(anonymous function) (data.js:161)
	combineReducers (data.js:162)
	(anonymous function) (blocks.js:6146:95)
	__webpack_require__ (blocks.js:21)
	(anonymous function) (blocks.js:85)
	Global Code (blocks.js:86)
[Error] TypeError: undefined is not an object (evaluating 'wp.blocks.setCategories')
	Global Code (post-new.php:1673)
[Error] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'".

	Function (data.js:161)
	(anonymous function) (data.js:161)
	combineReducers (data.js:162)
	(anonymous function) (rich-text.js:761:95)
	__webpack_require__ (rich-text.js:21)
	(anonymous function) (rich-text.js:85)
	Global Code (rich-text.js:86)
[Error] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'".

	Function (data.js:161)
	(anonymous function) (data.js:161)
	combineReducers (data.js:162)
	createReduxStore (data.js:1722)
	createNamespace (data.js:1611)
	(anonymous function) (data.js:2240)
	(anonymous function) (keyboard-shortcuts.js:853:91)
	__webpack_require__ (keyboard-shortcuts.js:21)
	(anonymous function) (keyboard-shortcuts.js:85)
	Global Code (keyboard-shortcuts.js:86)
[Error] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'".

	Function (data.js:161)
	(anonymous function) (data.js:161)
	combineReducers (data.js:162)
	createReduxStore (data.js:1722)
	createNamespace (data.js:1611)
	(anonymous function) (data.js:2240)
	(anonymous function) (viewport.js:340:91)
	__webpack_require__ (viewport.js:21)
	(anonymous function) (viewport.js:85)
	Global Code (viewport.js:86)
[Error] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'".

	Function (data.js:161)
	(anonymous function) (data.js:161)
	combineReducers (data.js:162)
	(anonymous function) (lodash.js:5115)
	(anonymous function) (block-editor.js:9447)
	__webpack_require__ (block-editor.js:21)
	(anonymous function) (block-editor.js:85)
	Global Code (block-editor.js:86)
[Error] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'".

	Function (data.js:161)
	(anonymous function) (data.js:161)
	combineReducers (data.js:162)
	(anonymous function) (core-data.js:2233:108)
	__webpack_require__ (core-data.js:21)
	(anonymous function) (core-data.js:85)
	Global Code (core-data.js:86)
[Error] TypeError: undefined is not an object (evaluating 'external_this_wp_blockEditor_["withFontSizes"]')
	(anonymous function) (block-library.js:3388:104)
	__webpack_require__ (block-library.js:21)
	(anonymous function) (block-library.js:85)
	Global Code (block-library.js:86)
[Error] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'".

	Function (data.js:161)
	(anonymous function) (data.js:161)
	combineReducers (data.js:162)
	createReduxStore (data.js:1722)
	createNamespace (data.js:1611)
	(anonymous function) (data.js:2240)
	(anonymous function) (notices.js:548:91)
	__webpack_require__ (notices.js:21)
	(anonymous function) (notices.js:85)
	Global Code (notices.js:86)
[Error] TypeError: undefined is not an object (evaluating 'external_this_wp_blockEditor_["SETTINGS_DEFAULTS"]')
	(anonymous function) (editor.js:2095)
	__webpack_require__ (editor.js:21)
	(anonymous function) (editor.js:85)
	Global Code (editor.js:86)
[Error] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'".

	Function (data.js:161)
	(anonymous function) (data.js:161)
	combineReducers (data.js:162)
	(anonymous function) (lodash.js:5115)
	(anonymous function) (edit-post.js:1491:148)
	__webpack_require__ (edit-post.js:21)
	(anonymous function) (edit-post.js:85)
	Global Code (edit-post.js:86)
[Error] TypeError: undefined is not an object (evaluating 'external_this_wp_richText_["registerFormatType"]')
	(anonymous function) (format-library.js:1897)
	forEach
	(anonymous function) (format-library.js:1893)
	__webpack_require__ (format-library.js:21)
	(anonymous function) (format-library.js:85)
	Global Code (format-library.js:86)
[Error] TypeError: undefined is not an object (evaluating 'wp.editPost.initializeEditor')
	(anonymous function) (post-new.php:1827)
[Error] TypeError: undefined is not an object (evaluating 'wp.blocks.unregisterBlockStyle')
	(anonymous function) (editor-script-block.js:8)

Change History (3)

#1 @ocean90
5 years ago

  • Keywords needs-patch removed
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Severity changed from major to normal
  • Status changed from new to closed
  • Version 5.4 deleted

Hello @anvme, welcome to WordPress Trac!

Thanks for your report. This is a known issue which is being tracked in #39941.

#2 @nadiaam67
4 years ago

  • Resolution duplicate deleted
  • Status changed from closed to reopened

I am having this error when clicking on theme customization.
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'".

how can I resolve it?

#3 @papplebeebf
4 months ago

  • Version set to 6.6.1

I am also experiencing a similar issue with the WordPress core file: https://github.com/WordPress/WordPress/blob/master/wp-includes/js/tw-sack.js which uses the JavaScript eval() function, which is blocked when not using 'unsafe-eval' in the Content Security Policy.

This seems like a big security hole, if we have to add 'unsafe-eval' to the CSP.

Is this going to be fixed anytime soon?

Note: See TracTickets for help on using tickets.