Title: Error when using CSP directive “script-src ‘unsafe-eval’ “ Last modified: October 16, 2025 --- # Error when using CSP directive “script-src ‘unsafe-eval’ “ * Resolved [Matze Pabst](https://wordpress.org/support/users/matthiaspabst/) * (@matthiaspabst) * [7 months, 2 weeks ago](https://wordpress.org/support/topic/error-when-using-csp-directive-script-src-unsafe-eval/) * I’m trying to setup a Content Security Policy (CSP) as recommended by many security tools. Unfortunately, my forms don’t work if I don’t allow `script-src 'unsafe- eval'` in my policy. There’s at least one script in your plugin, that uses eval(): * /wp-content/plugins/calculated-fields-form/js/cache/all.js?ver=5.4.0.5 – Line: 10066 * Is there a chance, to rewrite this function to make it safer? eval() shouldn’t be used. [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) Viewing 15 replies - 1 through 15 (of 19 total) 1 [2](https://wordpress.org/support/topic/error-when-using-csp-directive-script-src-unsafe-eval/page/2/?output_format=md) [→](https://wordpress.org/support/topic/error-when-using-csp-directive-script-src-unsafe-eval/page/2/?output_format=md) * Plugin Author [CodePeople2](https://wordpress.org/support/users/codepeople2/) * (@codepeople2) * [7 months, 2 weeks ago](https://wordpress.org/support/topic/error-when-using-csp-directive-script-src-unsafe-eval/#post-18683832) * Hello [@matthiaspabst](https://wordpress.org/support/users/matthiaspabst/) * In the current plugin version, it is required to evaluate the equations at runtime. However, the plugin escapes the fields’ values before using them in the equations. Note that you enter the equations by referring to the fields directly by their names, but the plugin must replace them and evaluate the equations. We are working on a mechanism to not depend on eval, but the plugin currently uses it safely. * Best regards. * Plugin Author [CodePeople2](https://wordpress.org/support/users/codepeople2/) * (@codepeople2) * [7 months, 2 weeks ago](https://wordpress.org/support/topic/error-when-using-csp-directive-script-src-unsafe-eval/#post-18683851) * Hello [@matthiaspabst](https://wordpress.org/support/users/matthiaspabst/) * Please contact us through the plugin website. We will provide you with the code currently in progress to replace the “eval.” [https://cff.dwbooster.com/contact-us](https://cff.dwbooster.com/contact-us) * Best regards. * Thread Starter [Matze Pabst](https://wordpress.org/support/users/matthiaspabst/) * (@matthiaspabst) * [7 months, 2 weeks ago](https://wordpress.org/support/topic/error-when-using-csp-directive-script-src-unsafe-eval/#post-18683884) * Hello [@codepeople2](https://wordpress.org/support/users/codepeople2/) * Thank you for your quick reply! Even if the eval() function is used safely in this case (is that even possible?), it does not solve the problem with a strict CSP without `script-src 'unsafe-eval'`. I am glad to hear that you are taking this issue seriously and working on a solution. Is it already clear when an updated version will be available? * Best regards Matthias * Thread Starter [Matze Pabst](https://wordpress.org/support/users/matthiaspabst/) * (@matthiaspabst) * [7 months, 2 weeks ago](https://wordpress.org/support/topic/error-when-using-csp-directive-script-src-unsafe-eval/#post-18683886) * [@codepeople2](https://wordpress.org/support/users/codepeople2/) Sorry, just noticed your 2nd reply. I will contact you. * Plugin Author [CodePeople2](https://wordpress.org/support/users/codepeople2/) * (@codepeople2) * [7 months, 2 weeks ago](https://wordpress.org/support/topic/error-when-using-csp-directive-script-src-unsafe-eval/#post-18684217) * Hello [@matthiaspabst](https://wordpress.org/support/users/matthiaspabst/) * I wanted to follow up and see if you received the emails we sent from the plugin website. If you have, please let me know. Thank you! * Thread Starter [Matze Pabst](https://wordpress.org/support/users/matthiaspabst/) * (@matthiaspabst) * [7 months, 2 weeks ago](https://wordpress.org/support/topic/error-when-using-csp-directive-script-src-unsafe-eval/#post-18684375) * [@codepeople2](https://wordpress.org/support/users/codepeople2/) * I received your emails, tested the script and it works! The form is not breaking now when using a CSP that doesn’t allow `script-src 'unsafe-eval'`. * Thank you for your quick support! * Plugin Author [CodePeople2](https://wordpress.org/support/users/codepeople2/) * (@codepeople2) * [7 months, 2 weeks ago](https://wordpress.org/support/topic/error-when-using-csp-directive-script-src-unsafe-eval/#post-18684407) * Hello [@matthiaspabst](https://wordpress.org/support/users/matthiaspabst/) * Thank you so much for the feedback. * Best regards. * Plugin Author [CodePeople2](https://wordpress.org/support/users/codepeople2/) * (@codepeople2) * [7 months, 1 week ago](https://wordpress.org/support/topic/error-when-using-csp-directive-script-src-unsafe-eval/#post-18689250) * Hello [@matthiaspabst](https://wordpress.org/support/users/matthiaspabst/) * We released a plugin update that includes the modifications to the file we previously provided and additional enhancements. * Best regards. * Thread Starter [Matze Pabst](https://wordpress.org/support/users/matthiaspabst/) * (@matthiaspabst) * [7 months, 1 week ago](https://wordpress.org/support/topic/error-when-using-csp-directive-script-src-unsafe-eval/#post-18690590) * Hi [@codepeople2](https://wordpress.org/support/users/codepeople2/) * I installed this update and now the CSP errors because of the missing `script- src 'unsafe-eval'` are back. all.js line 10167 still uses eval(). * I rolled back to the fbuilder.fcalculated.js you sent me a few days ago. * Best regards Matthias * Plugin Author [CodePeople2](https://wordpress.org/support/users/codepeople2/) * (@codepeople2) * [7 months, 1 week ago](https://wordpress.org/support/topic/error-when-using-csp-directive-script-src-unsafe-eval/#post-18690639) * Hello [@matthiaspabst](https://wordpress.org/support/users/matthiaspabst/) * It includes the evaluation in a try/catch block. If you have enabled the protection directives, it will use the exact code we provided you from the plugin website. * ```wp-block-code try { r = eval(eq);} catch (err) { if ( err instanceof EvalError ) r = $.fbuilder['eval'].call(this, eq); else throw err;} ``` * Could you please provide the link to the page containing the form after you install the plugin’s update? Best regards. * Thread Starter [Matze Pabst](https://wordpress.org/support/users/matthiaspabst/) * (@matthiaspabst) * [5 months, 1 week ago](https://wordpress.org/support/topic/error-when-using-csp-directive-script-src-unsafe-eval/#post-18764593) * [@codepeople2](https://wordpress.org/support/users/codepeople2/) Sorry for my late reply. Here’s a post comntaining a CFF form: [https://trendblog.euronics.de/tv-streaming/stromverbrauch-fernseher-das-zahlst-du-pro-stunde-monat-und-jahr-121214/](https://trendblog.euronics.de/tv-streaming/stromverbrauch-fernseher-das-zahlst-du-pro-stunde-monat-und-jahr-121214/) Please check your browser console and move any slider to see the CSP errors. * Plugin Author [CodePeople2](https://wordpress.org/support/users/codepeople2/) * (@codepeople2) * [5 months, 1 week ago](https://wordpress.org/support/topic/error-when-using-csp-directive-script-src-unsafe-eval/#post-18764728) * Hello [@matthiaspabst](https://wordpress.org/support/users/matthiaspabst/) * If you are referring to the CSP, it is not being caused by our plugin, it is happening in the WP Rocket generated code: * ![](https://i0.wp.com/resources.developers4web.com/cff/tmp/2025/12/22/screenshot. png?ssl=1) * The console message you see when moving the slider is not an SCP message but a browser warning: “Added non-passive event listener to a scroll…”. This warning isn’t generated by our plugin; it comes from the jQuery slider control included with WordPress (our plugin simply uses it) and how jQuery handles slider events. You can confirm this by visiting the jQuery Slider Control page directly. * [https://jqueryui.com/slider/](https://jqueryui.com/slider/) * Best regards. * Thread Starter [Matze Pabst](https://wordpress.org/support/users/matthiaspabst/) * (@matthiaspabst) * [5 months, 1 week ago](https://wordpress.org/support/topic/error-when-using-csp-directive-script-src-unsafe-eval/#post-18765624) * Hello [@codepeople2](https://wordpress.org/support/users/codepeople2/) ! I’m not sure, if this is correct. My console reports your all.js file as the source of the CSP errors. See the two screenshots. Additionally, I deactivated WP Rocket Cache for this post. * [⌊Csp error 1⌉⌊Csp error 1⌉[ * ![](https://cloudup.com/i86lfLhHDge) * After moving the first slide: * [⌊Csp error 2⌉⌊Csp error 2⌉[ * ![](https://cloudup.com/i2KfwuHgn-K) - This reply was modified 5 months, 1 week ago by [Matze Pabst](https://wordpress.org/support/users/matthiaspabst/). * Plugin Author [CodePeople2](https://wordpress.org/support/users/codepeople2/) * (@codepeople2) * [5 months, 1 week ago](https://wordpress.org/support/topic/error-when-using-csp-directive-script-src-unsafe-eval/#post-18765692) * Hello [@matthiaspabst](https://wordpress.org/support/users/matthiaspabst/) * Could you please check your website with the browser in incognito mode? I guess you have a cache problem. I tested your form, and the only messages are the warnings generated by jQuery. Please watch the following video: * [https://resources.developers4web.com/cff/tmp/2025/12/23/video-console_o.mp4](https://resources.developers4web.com/cff/tmp/2025/12/23/video-console_o.mp4) * Best regards. * Thread Starter [Matze Pabst](https://wordpress.org/support/users/matthiaspabst/) * (@matthiaspabst) * [1 month ago](https://wordpress.org/support/topic/error-when-using-csp-directive-script-src-unsafe-eval/#post-18891701) * [@codepeople2](https://wordpress.org/support/users/codepeople2/) My CSP still blocks all.js because auf eval() in line 10728. I tested this in Chromium and Firefox in private mode. Plugin version is 5.4.6.7 * Screenshots: [https://cloudup.com/cmZ7R7n1JVN](https://cloudup.com/cmZ7R7n1JVN) Viewing 15 replies - 1 through 15 (of 19 total) 1 [2](https://wordpress.org/support/topic/error-when-using-csp-directive-script-src-unsafe-eval/page/2/?output_format=md) [→](https://wordpress.org/support/topic/error-when-using-csp-directive-script-src-unsafe-eval/page/2/?output_format=md) You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Ferror-when-using-csp-directive-script-src-unsafe-eval%2F%3Foutput_format%3Dmd&locale=en_US) to reply to this topic. * ![](https://ps.w.org/calculated-fields-form/assets/icon-256x256.jpg?rev=1734377) * [Calculated Fields Form](https://wordpress.org/plugins/calculated-fields-form/) * [Frequently Asked Questions](https://wordpress.org/plugins/calculated-fields-form/#faq) * [Support Threads](https://wordpress.org/support/plugin/calculated-fields-form/) * [Active Topics](https://wordpress.org/support/plugin/calculated-fields-form/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/calculated-fields-form/unresolved/) * [Reviews](https://wordpress.org/support/plugin/calculated-fields-form/reviews/) * 19 replies * 2 participants * Last reply from: [CodePeople2](https://wordpress.org/support/users/codepeople2/) * Last activity: [1 month ago](https://wordpress.org/support/topic/error-when-using-csp-directive-script-src-unsafe-eval/page/2/#post-18893039) * Status: resolved