JavaScript error: EvalError: call to Function() blocked by CSP

[GhaziTriki]

Description

I am running gitea behind nginx revers proxy. In the UI get the following JS error message that prevents me from doing some actions like switching to SSH.

JavaScript error: EvalError: call to Function() blocked by CSP (https://gitea.mycompany.net/assets/js/index.js?v=1.19.0 @ 19:71859). Open browser console to see more details.

In the console I have 'Content Security Policy: The page’s settings blocked the loading of a resource at eval (“default-src”).'

Screenshots

Gitea Version

1.19.0

Can you reproduce the bug on the Gitea demo site?

Yes

Operating System

Ubuntu 20.04 LTS

Browser Version

Firefox 111.0.1 (64-bit)

[silverwind]

It's likely because of the Vue template compiler which requires unsafe-eval CSP. See #19851 and linked discussions. We need to find out how to remove it from served JS.

[wxiaoguang]

I think it has been fixed in 1.20 (the latest main dev branch), there is no EvalError anymore.

• Branch selector disappear immediately (Uncaught EvalError: 'unsafe-eval' is not an allowed) #19851 (comment)

Welcome to try.

[wxiaoguang]

Do you still have problem in 1.20? (I guess there won't be problem, I had tested the CSP when I did the refactoring)

That was a big refactoring, so the changes were not backported to 1.19

[GhaziTriki]

I confirm it works in 1.20 build from "main"

[techknowlogick]

@GhaziTriki fantastic! I'll close this ticket now :)