Content Security Policy throws `eval` error

[raphaelokon]

Hi there.

I noticed that Klaro is throwing Content Security Policy: The page's settings blocked the loading of a resource at eval ("script-src"). errors once I accept the tracker in the modal. Even if I remove any tracker code from HTML Klaro is throwing because of the CSP eval violation.

My CSP is as simple as →

<meta http-equiv="Content-Security-Policy" content="default-src 'self';">

Any help would be appreciated + thanks for the great tool.

Addendum:

Klaro still works somehow in that it disables or enables the scripts in question fyi. This is the related Google page explaining what might cause the eval error.

[adewes]

Hi @raphaelokon! I'll have to investigate this, I'll get back to you shortly.

[brotkrueml]

Are there any news on that? I embedded Klaro in the last days and encountered also this behaviour. I had to add 'unsafe-eval' to the 'script-src' of my content security policy - which it not a good thing.

I encounter this when click on the "accept all", "accept selected" or "decline" buttons. As already mentioned, the consent cookie is still set but the modal doesn't close.

[t-heuser]

I can also verify this issue with the newest version of klaro. The error occurs on page load for me, but everything works fine, I can click all buttons and everything gets called as supposed. So the issue exists but for me it's just an annonyance that spams into Sentry.

[NeoBlack]

Will this be fixed? CSP is very important and we are searching for a new solution because our current tool also does not support useful CSP headers.

[brotkrueml]

@adewes Any news on this? This is really important now for us to get rid of the 'unsafe-eval' CSP value.

FYI: seems that this code (new Function(...)) raises the error:

key: "applyConsents",
    value: function(e, t, r) {
        function n(e, t) {
            if (void 0 !== e)
                return ("function" == typeof e ? e : new Function("opts",e))(t)
        }
// ...