CSP - unsafe-eval errors because of "new Function" #265
Comments
webfansplz
added
bug
|
Thank you for the feedback, you can downgrade to v7.0.15. I'll check it out later. |
|
I re-reading my report and It was not 100% clear, with previous versions I mean 6.x ones. It's my first time trying to use 7.x on this environment. I expect the issue can a bit complex to fix since it implies rewriting the new Function() parts, which may not be an option at some point. |
I know, the code of new Function parts shipped on V7.0.16 (so v7.0.15 should be work fine.), we try use it to refactor the bridge messaging, now seems we missed this use cases, we’ll revert the design to cover this use case. |
|
ok, you're right. I reinstalled vue-devtools 7.0.15 globally and for some reason was still picking the old js build. I can confirm that after checking on 7.0.15 and compiling it works just fine. |
I'm working on a browser extension, and I wanted to used vue-devtools. But since MV3, CSP unsafe-eval is enforced, meaning that yuou cannot use:
according to: https://www.w3.org/TR/CSP3/#directive-script-src
Leading to the following error:
(index):71 Uncaught (in promise) EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' http://localhost:3303 http://localhost:8098".I used to have the old devtools working.
It seems that this as explicitly allowed at some point. ( looking at the eslint config ) :
devtools-next/packages/core/src/bridge/app.ts
Line 8 in 26b74b7
The text was updated successfully, but these errors were encountered: