CSP error requiring unsafe-eval #1918
Description
Version: 1.236.5
Getting the following console error, which also causes the toolbar to fail to load.
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' <custom-proxy> https://*.posthog.com 'unsafe-inline'".
at new Function (<anonymous>)
at QYe.iLt (index.ts:171:26)
at QYe.o3o (index.ts:228:45)
at QYe.r3o (index.ts:223:44)
at Object.code (ref.ts:18:33)
at ohi (index.ts:532:9)
at index.ts:228:21
Seems like a regression since it used to work. I don't think it breaks the event reporting, but does stop the toolbar from working.
The following is my (redacted) CSP config in NextJS
default-src 'self';
script-src 'self'<custom-proxy> https://*.posthog.com 'unsafe-inline';
style-src 'self' <custom-proxy> https://*.posthog.com 'unsafe-inline';
img-src 'self' <redacted> <redacted> <redacted> https://*.posthog.com data: ${process.env.NODE_ENV === 'production' ? '<redacted>' : '<redacted>'};
connect-src 'self' <redacted> <redacted> <custom-proxy> https://*.posthog.com;
worker-src 'self' blob: data:;
font-src 'self' https://*.posthog.com data:;
media-src https://*.posthog.com;
object-src 'none';
base-uri 'none';
form-action 'none';
frame-ancestors 'none';
upgrade-insecure-requests;
For obvious reasons, we are not happy to follow the suggestion and enable unsafe-eval
Metadata
Metadata
Assignees
Labels
No labels