I can’t fix this issue :
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'
I am using a server Node.js which is hosted on Heroku and i have this issue only on Chrome. It happened when i tried to add Stripe to my website and i have already add every URL Stripe need in my CSP.
I tried to change my CSP and add « unsafe-eval » in my script-src but i still have the same problem.
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
connectSrc: ["'self'", "https://checkout.stripe.com","https://api.stripe.com", "https://maps.googleapis.com", "https://api.alternative.me/fng/"], // Allows connections to Stripe Checkout
defaultSrc: ["'self'"],
scriptSrc: ["'self'","https://checkout.stripe.com","https://js.stripe.com", "https://maps.googleapis.com", "https://connect-js.stripe.com", "'unsafe-eval'"],
frameSrc: ["'self'", "https://checkout.stripe.com", "https://js.stripe.com/","https://hooks.stripe.com","https://connect-js.stripe.com"], // Allows frames from Stripe Checkout
imgSrc: ["'self'", "https://*.stripe.com", "data:"], // Allows images from Stripe
baseUri: ["'self'"],
objectSrc: ["'none'"],
upgradeInsecureRequests: [],
},
}));
Network response header:
Content-Security-Policy
default-src 'self';connect-src 'self' https://checkout.stripe.com https://api.stripe.com https://maps.googleapis.com https://api.alternative.me/fng/;script-src 'self' https://checkout.stripe.com https://js.stripe.com https://maps.googleapis.com https://connect-js.stripe.com 'unsafe-eval';frame-src 'self' …