CSP script-src 'unsafe-eval' breaks CKEditor with Embedded Content

Created on 13 January 2025, 18 days ago

Problem/Motivation

We've discovered an issue with our Content Security Policy header, in combination with Embedded Content 2.0.2. We don't allow unsafe-eval in the script-src category of the CSP configuration, but the build file embeddedContent.js contains several eval functions.

Proposed resolution

The eval functions are removed in commit f445d869. So installing the 2.0.x version of this module solves the problem. Is it possible to release this fix as soon as possible?

🐛 Bug report

Status

Active

Version

2.0

Component

Code

Created by

🇳🇱Netherlands ooziedie

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @ooziedie
Comment 8 days ago →
🇪🇸Spain nuez Madrid, Spain
I've released 2.0.3 so this should be fixed. please let me know if any issues

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024