Sites running this module will have their CKEditor possibly broken if the site don't allow "eval" javascript due to a tight Content Security Policy. This is caused by the modules' built webpack assets that use eval to load code internally. This is a known webpack issue, but might alternately be caused by shipping dev versions of the javascript builds.
Sample CSP browser error:
"Content-Security-Policy: The page’s settings blocked a JavaScript eval (script-src) from being executed because it violates the following directive...........(*snip* entire CSP policy) (Missing 'unsafe-eval') "
Webpack references to the issue:
https://github.com/webpack/webpack/discussions/18073
https://github.com/webpack/webpack-dev-server/pull/5045/commits
This should be fixed in webpack-dev-servr 5.x branch .
https://github.com/webpack/webpack-dev-server/releases/tag/v5.0.1
Remove the ability to eval javascript using CSP policy (multiple CSP helper tools on the web exist).
Rebuild assets using a version of webpack that does not have the eval problem, or rebuild assets in webpack mode suitable for production use without "eval" allowed.
Rebuild assets using a version of webpack that does not have the eval problem.
None
None
Note
Active
1.0
Code
yareckon, thank you for reporting it. The issue is the watch script, because it runs the --mode development and if the last build was done with npm run watch, the eval was in the JS file.
Thank you for reporting it.
This is now solved in the 1.0.1 version.
Automatically closed - issue fixed for 2 weeks with no activity.