Calculated Fields Form with CSP

  • Resolved pictoru

    (@pictoru)


    2 years, 5 months ago

    Hello,

    I have to add Content-Security-Policy (CSP) header in a page where Calculated Fields Form plugin is instantiated. The form is not working. In console, I received the following: “Refused to evaluate a string as JavaScript because ‘unsafe-eval’ is not an allowed source of script in the following Content Security Policy directive: “script-src”. Would be very simply just to add ‘unsafe-eval’ in the script-src key, but this would be like script-src wouldn’t exist, will not protect anything. I have added a nonce value to the script tag, which usually solve this issue in other contexts. In my situation, does not. Is there someone that had the same issue? Unfortunately, the presence of the CSP header should be a standard from now.

    Thanks,

    Ciprian

    The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)
  • Plugin Author codepeople

    (@codepeople)

    2 years, 5 months ago

    Hello @pictoru

    My apologies for the delay in responding to your question.

    The plugin must replace the fields’ names with their values in the equations and use the eval function to evaluate them. However, the plugin escapes the fields’ values to avoid the problems related to the JavaScript eval function.

    Best regards.

Viewing 1 replies (of 1 total)

The topic ‘Calculated Fields Form with CSP’ is closed to new replies.