Cannot disable unsafe-eval

@mikemackechnie are you having trouble with the mailchimp.com or the “chimpstatic” domains? You’re bringing up a very good point that we’ll be glad to get resolved if possible.

It’s https://chimpstatic.com/ in my Content Security Policy.

We are now running version 4.2.1 of the plugin, but we are still getting the problem.

• This reply was modified 4 months, 1 week ago by mikemackechnie.

Hi @mikemackechnie thanks for your patience. We wanted to let you know we escalated this issue to the proper channels shortly after your last message, and are awaiting further guidance from the team that works with this particular script at Mailchimp. We’ll update this thread as soon as we know more information.

Hi,

I am testing CSP for a client and noticed it didn’t like the first setTimeout function in the file:

 ./plugins/mailchimp-for-woocommerce/public/js/mailchimp-woocommerce-public.min.js

Changing from:

mailchimpReady=function(e){/in/.test(document.readyState)?setTimeout("mailchimpReady("+e+")",9):e()}

to:

mailchimpReady=function(e){/in/.test(document.readyState)?setTimeout(() => "mailchimpReady("+e+")",9):e()}

seemed to work, possibly caused by this functionality…

https://stackoverflow.com/questions/72061796/using-settimeout-with-strings-triggers-unsafe-eval-alert

That’s great news! Do you need anything else from us? We are still looking into things on our side.

Thanks, modifying the js file on an ad-hoc basis is not my preferred approach but personally I can wait until you resolve it. I can’t speak for @mikemackechnie

Thanks so much for being patient with us @alibuc – This update is in our next release. We will swing back around to let you know when deployed. Chat soon!

Good news! I have applied @alibuc ‘s edit to the js and I can confirm that I can now disable unsafe-eval on my website. Good work @alibuc .

Heck yea! So happy things worked out – We appreciate you swinging back around and letting us know. Thanks for sticking with us! @mikemackechnie