formBuilder
formBuilder copied to clipboard
Content Security Policy and formbuilder
Description: form-builder.min.js doesn't work with CSP without unsafe-eval
Environment Details:
- formBuilder Version: 3.7.2
- Browser: Latest browsers
- OS: Any
Expected Behavior:
Should align with CSP to maintain security
Actual Behavior :
complains with below error (see image as well)
[Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".
Steps to Reproduce
Just include the script, set CSP headers and check browser console.
@mkgn do you know what line of code is triggering that error? formBuilder doesn't use eval
Hmm... it's funny... the line it shows in console is 19. When you apply a CSP policy with "script-src 'self' does it complain?
Got a similar error, seems to load in a lang file.
I uglified the min file. I think you see which part of the code is trigger the CSP block.
![Screen Shot 2022-09-04 at 23 39 54](https://user-images.githubusercontent.com/21176316/188334629-6d7471fd-8b4d-46ff-90d2-4e858544cf1c.png)
![Screen Shot 2022-09-04 at 23 40 30](https://user-images.githubusercontent.com/21176316/188334632-badd60cb-53fa-416a-80de-cf140e710793.png)
@kevinchappell , The eval is injected by webpack 4.4 node.js global polyfill https://github.com/webpack/webpack/blob/webpack-4/buildin/global.js
new Function("return this")()
the simplest method to fix this is to disable injection of the polyfill in the webpack config
node: { global: false, }
I'll submit a PR
Got a similar error, seems to load in a lang file.
I uglified the min file. I think you see which part of the code is trigger the CSP block.
![]()
![]()
@jorgeuos You either need to allow this in your CSP to load the language file, or download the required language file and deploy it as part of your applications assets.
You can configure which lang file to use via the
i18n: {
locale: 'en-US',
location: "/path/to/lang/files"
}
@jorgeuos You either need to allow this in your CSP to load the language file, or download the required language file and deploy it as part of your applications assets.
You can configure which lang file to use via the
i18n: { locale: 'en-US', location: "/path/to/lang/files" }
Yes, I did that. Thank you.
fbOptions: {
i18n: {
locale: 'en-US',
location: '/path/to/formBuilder-languages/',
extension: '.lang',
},