jsverse
Bug(scope):Message format compile throwing unsafe eval errors
Is there an existing issue for this?
- [X] I have searched the existing issues
Which Transloco package(s) are the source of the bug?
MessageFormat
Is this a regression?
Yes
Current behavior
We are trying to remove 'unsafe-eval' from CSP, getting below error. EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'
Expected behavior
There should not be error after removing unsafe-eval from CSP as we handled through nonce
Please provide a link to a minimal reproduction of the bug, if you won't provide a link the issue won't be handled.
https://github.com/jsverse/transloco/issues/364
Transloco Config
No response
Please provide the environment you discovered this bug in
Transloco:
Angular:
Node:
Package Manager:
OS:
Browser
No response
Additional context
No response
I would like to make a pull request for this bug
Yes 🚀
@shaharkazaz I have the same issue
Transloco: "@jsverse/transloco": "^7.4.2", "@jsverse/transloco-messageformat": "^7.0.1", "@jsverse/transloco-persist-lang": "^7.0.1", "@jsverse/transloco-persist-translations": "^7.0.1",
Angular: "@angular/animations": "^18.1.0", "@angular/cdk": "^18.1.0", "@angular/common": "^18.1.0", "@angular/compiler": "^18.1.0", "@angular/core": "^18.1.0", "@angular/forms": "^18.1.0", "@angular/material": "^18.1.0"
Node: v22.3.0 Package Manager: npm OS: Windows
Any suggestion how to get rid of this issue?
This CSP issue could be resolved by adding a trustedTypesPolicy config option.
Currently, MessageFormat fails with Trusted Types because new Function() requires a TrustedScript.
Proposed API:
TranslocoModule.forRoot({
config: {
trustedTypesPolicy: 'custom-policy-name'
}
})
Use trustedTypes.getPolicy(policyName)?.createScript() before new Function().
This would eliminate the need for 'unsafe-eval' in CSP while supporting custom policy names.
