CKEditor Abbreviation use eval in its webpack build to execute the plugin.
I am running all sites with a strict Content Security Policy and try to avoid unsafe-inline and unsafe-eval policies.
There are several lines like this:
eval('__webpack_require__.r(__webpack_exports__);\n/* harmony export */ __webpack_require__.d(__webpack_exports__, {\n/* harmony export */ "default": () => (/* binding */ Abbreviation)\n/* harmony export */ });\n/* harmony import */ var ckeditor5_src_core__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(/*! ckeditor5/src/core */ "ckeditor5/src/core.js");\n/* harmony import */ var _abbreviationediting__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(/*! ./abbreviationediting */ "./js/ckeditor5_plugins/abbreviation/src/abbreviationediting.js");\n/* harmony import */ var _abbreviationui__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(/*! ./abbreviationui */ "./js/ckeditor5_plugins/abbreviation/src/abbreviationui.js");\n\n\n\n\nclass Abbreviation extends ckeditor5_src_core__WEBPACK_IMPORTED_MODULE_0__.Plugin {\n\tstatic get requires() {\n\t\treturn [ _abbreviationediting__WEBPACK_IMPORTED_MODULE_1__["default"], _abbreviationui__WEBPACK_IMPORTED_MODULE_2__["default"] ];\n\t}\n}\n\n//# sourceURL=webpack://CKEditor5.abbreviation/./js/ckeditor5_plugins/abbreviation/src/abbreviation.js?')
script-src)Do a javascript build without eval usage.
Fixed
4.0
Code
Issue #3440095 by sunlix: CSP: Webpack-Build use eval function to...
Automatically closed - issue fixed for 2 weeks with no activity.