underscore.js requires CSP to use 'unsafe-eval' #2995
Comments
|
That line is actually line 87 of the template module: underscore/modules/template.js Line 87 in 1abc36c and the trick here is that a template is compiled into JavaScript code. That code can only be executed if you pass it through I mean, the I will close this ticket now because there is nothing we can do, but please feel free to respond if you have any more questions or comments. |
|
Hi Julian,
Thank you for replying to my query. I guess there is nothing that can be done. Fortunately I do not see underscore.js being used on the frontend side of my WordPress site. Just on the admin side.
I dynamically generate a CSP and create hashes for all inline scripts. And on the admin side I also do this check to add ‘unsafe-eval’ when certain scripts are included:
if (false !== strpos($page_html, 'block-templates/index.js') || false !== strpos($page_html, 'underscore.min.js') || false !== strpos($page_html, 'handlebars.min.js')) { $extra_script_rules .= " 'unsafe-eval' "; }
This enables me from using ‘unsafe-eval’ in the CSP for any admin pages which do not use any of those scripts. Thankfully, I have not found any situation where I need ‘unsafe-eval’ in the CSP for the frontend side.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
On line 936 there is a call to new Function:
render = new Function(argument, '_', source);
This requires use of 'unsafe-eval' when creating a Content Security Policy for scripts. Would it be possible to change this so 'new Function' is not used?
I don't find underscore.min.js being used on my frontend WordPress, but I do see it included on the admin side of my Wordpress. So when I create the CSP for the admin side, I need to check if the html includes underscore.min.js, and add 'unsafe-eval' to my script CSP.
The text was updated successfully, but these errors were encountered: