Plugin requires ‘unsafe-eval’ to be included in CSP

  • Resolved descomputers

    (@descomputers)


    4 years, 2 months ago

    I am using your plugin on a site for a financial organisation which requires a CSP to be set up to avoid XSS issues (amongst other things).

    When I switch on the CSP, unless I include the ‘unsafe-eval’ directive in the script-src, the column with the list of folders in the Pages section of the WP dashboard is empty.

    ‘eval’ is by definition unsafe. Is there anything that can be done to make your plugin work without having to open this option in the CSP?

    Cheers
    Greg

    WP version: 5.5.3
    PHP version: 7.4
    Hosting: WPEngine
    All plugins/themes are up to date

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author wickedplugins

    (@wickedplugins)

    Hi @descomputers,

    I apologize for not responding sooner but for some reason I didn’t receive an email notification about this thread.

    Our plugin doesn’t use the eval function anywhere; however, our plugin does rely on several other scripts shipped with WordPress including jQuery, various jQuery UI scripts, Backbone, and Underscore. My guess is that perhaps one of these other scripts uses the eval function.

    I’m afraid this isn’t something we can fix on our end since we don’t have control over those other scripts.

    Plugin Author wickedplugins

    (@wickedplugins)

    Hi @descomputers,

    I’m going to go ahead and mark this issue as resolved but if you still need help, please let us know.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Plugin requires ‘unsafe-eval’ to be included in CSP’ is closed to new replies.