Skip to content
Advertisement

Refused to evaluate a string as JavaScript because ‘unsafe-eval’ is not an allowed source

I added the following to a web page:

<script type="text/javascript">
  window.addEventListener("load", function () {
    window.location = "https://localhost:5002";
  });
</script>

When I run the application I get the following error:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self'"

When I remove the script I do not get the error anymore.

Any idea why this happens?

Advertisement

Answer

Your current CSP setting is:

"default-src 'self'"

which means that you can only execute your code from your root URL (localhost:5000).

You can try to extend this policy to the other URL you are using:

"default-src 'self' https://localhost:5002"

The CSP setting location depends on your web server. In case of Apache, this is set in file ‘.htaccess’.

P.S: ‘unsafe-eval’ doesn’t seem to be related to the listener you are adding, but you can try the above change anyway.

User contributions licensed under: CC BY-SA
7 People found this is helpful
Advertisement