删除 CSP 头中的 unsafe-eval

huangapple go评论139阅读模式
英文:

remove unsafe-eval from CSP header

问题

在我的 JavaScript 代码中,使用了非安全的 eval 方法,但现在客户要求移除非安全的 eval。但是在我的代码中,所有的 JavaScript 库都在使用 eval 方法,在移除非安全的 eval 后,代码无法正常工作。请问如何在不改变库代码的情况下移除非安全的 eval?

我目前使用的版本是 2.0.2,但出现了以下错误:
删除 CSP 头中的 unsafe-eval

zone.min.js?_=1686053845269:1 抛出 EvalError: 拒绝评估字符串作为 JavaScript,因为 Content Security Policy 指令中未允许 'unsafe-eval' 作为脚本的来源。指令如下:"script-src 'self' 'nonce-/jHqQHDI76+2UJhy0y0afg=='"。

at new Function (<anonymous>)
at evalExpression (compiler.umd.min.js?_=1686053845269:6:1473)
at jitStatements (compiler.umd.min.js?_=1686053845269:21:30062)
at RuntimeCompiler._compileModule (compiler.umd.min.js?_=1686053845269:41:18413)
at RuntimeCompiler._compileModuleAndComponents (compiler.umd.min.js?_=1686053845269:41:16590)
at RuntimeCompiler.compileModuleAsync (compiler.umd.min.js?_=1686053845269:41:16063)
at PlatformRef_._bootstrapModuleWithZone (core.umd.min.js?_=1686053845269:35:26523)
at PlatformRef_.bootstrapModule (core.umd.min.js?_=1686053845269:35:25813)
at Object.initAngularComponents (consentRegistry.js?_=1686053845270:415:47)
at Object.init (consentRegistry.js?_=1686053845270:63:22)
英文:

I have very old javascript code and in that code they are using unsafe-eval but now client is saying we have to remove unsafe-eval but in my code in all the java script library is using eval method and code is not working after removing unsafe-eval,how i can remove unsafe-eval without changing the lib code.

so which version i can use that will not give me nonce error.
currently i am using 2.0.2
and getting below error.
删除 CSP 头中的 unsafe-eval

zone.min.js?_=1686053845269:1 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'nonce-/jHqQHDI76+2UJhy0y0afg=='".

at new Function (&lt;anonymous&gt;)
at evalExpression (compiler.umd.min.js?_=1686053845269:6:1473)
at jitStatements (compiler.umd.min.js?_=1686053845269:21:30062)
at RuntimeCompiler._compileModule (compiler.umd.min.js?_=1686053845269:41:18413)
at RuntimeCompiler._compileModuleAndComponents (compiler.umd.min.js?_=1686053845269:41:16590)
at RuntimeCompiler.compileModuleAsync (compiler.umd.min.js?_=1686053845269:41:16063)
at PlatformRef_._bootstrapModuleWithZone (core.umd.min.js?_=1686053845269:35:26523)
at PlatformRef_.bootstrapModule (core.umd.min.js?_=1686053845269:35:25813)
at Object.initAngularComponents (consentRegistry.js?_=1686053845270:415:47)
at Object.init (consentRegistry.js?_=1686053845270:63:22)

答案1

得分: 3

根据以下条件:

  1. 客户要求不允许使用 unsafe-eval
  2. 您有一个库,除非允许 unsafe-eval,否则无法正常工作
  3. 您不能更改该库的源代码

满足这三个条件的唯一方法是停止使用该库,并重新编写依赖于它的任何代码

英文:

Given:

  1. The client requires that you do not allow unsafe-eval
  2. You have a library which will not work unless you allow unsafe-eval
  3. You cannot change the source code of that library

The only approach to have working code which is compatible with all three conditions is to stop using the library and rewrite any code you have which depends on it.

huangapple
  • 本文由 发表于 2023年6月5日 15:28:15
  • 转载请务必保留本文链接:https://go.coder-hub.com/76404295.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定