I’m working on an old react project where we are encountering a Content Security Policy (CSP) warning about using ‘unsafe-eval’. Here’s the specific message:
Refused to execute inline script because it violates the following Content Security Policy directive: “script-src ‘self’ ‘unsafe-eval’. This issue has been flagged because ‘unsafe-eval’ is not recommended due to security risks.
Unfortunately, this is an old codebase with several instances of eval() that I can’t refactor at this moment. Completely removing eval() from the code isn’t feasible in the short term due to the complexity and potential for introducing bugs.
I’m aware that using ‘unsafe-eval’ opens up security vulnerabilities, but given my current situation, are there any alternative ways to address this CSP issue while still keeping eval() in use temporarily?
Here are a few specific questions:
Can I restrict ‘unsafe-eval’ to only certain scripts or parts of the site?
Are there any security mitigations I can put in place to reduce the risk of ‘unsafe-eval’ in the meantime?
Any suggestions for gradually transitioning away from eval() without breaking the old code?
Any help or insights would be greatly appreciated!
i tired to remove ‘unsafe-eval’ from CSP header then my project stop working