Content Security Policy of your site blocks the use of 'eval' in JavaScript`

Created on 6 March 2025, about 1 month ago

I am using turnstile : 1.1.13, captcha is working fine, but it shows errors on the console.

Here is the error:

The Content Security Policy (CSP) prevents the evaluation of arbitrary strings as JavaScript to make it more difficult for an attacker to inject unathorized code on your site.

To solve this issue, avoid using eval(), new Function(), setTimeout([string], ...) and setInterval([string], ...) for evaluating strings.

If you absolutely must: you can enable string evaluation by adding unsafe-eval as an allowed source in a script-src directive.

⚠️ Allowing string evaluation comes at the risk of inline script injection.

1 directive
Source location Directive Status

https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/orchest... script-src blocked

Please have a look at the attached screenshot:

🐛 Bug report

Status

Active

Version

1.1

Component

User interface

Created by

🇵🇰Pakistan dewancodes

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @dewancodes
Comment about 1 month ago →
🇵🇰Pakistan dewancodes
Comment about 1 month ago →
🇵🇰Pakistan dewancodes
Comment about 1 month ago →
🇵🇰Pakistan dewancodes
Comment about 1 month ago →
🇺🇸United States greatmatter
This appears to be an issue with Turnstile, and not the module. We don't use eval(), new Function(), setTimeout([string], ...) and setInterval([string], ...) in the module itself, but it's present in the hosted file from Cloudflare.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024