科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>javascript - How to fix "unsafe-eval" error with Vue3 for the client-side version? - Stack Overflow

    javascript - How to fix "unsafe-eval" error with Vue3 for the client-side version? - Stack Overflow

    programmeradmin3浏览0评论

    I'm using Express, cors, and helmet for my app. Vue3 is used on the client-side only and the library file is self-hosted in the public folder. I simply do

    <script type="module" src="/public/lib/vue.esm-browser.js"></script>

    to add the module to the client-side. The problem is that when I use it, it keeps giving me an Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'". This problem started yesterday suddenly, when I started using the helmet and cors modules, and even if I ment out these modules, it still shows the error. What should I fix?

    I'm using Express, cors, and helmet for my app. Vue3 is used on the client-side only and the library file is self-hosted in the public folder. I simply do

    <script type="module" src="/public/lib/vue.esm-browser.js"></script>

    to add the module to the client-side. The problem is that when I use it, it keeps giving me an Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'". This problem started yesterday suddenly, when I started using the helmet and cors modules, and even if I ment out these modules, it still shows the error. What should I fix?

    • javascript
    • express
    • vuejs3
    • content-security-policy
    Share Improve this question edited Jul 20, 2021 at 23:17 sideshowbarker 88.2k29 gold badges215 silver badges211 bronze badges asked Jul 20, 2021 at 18:15 TheOwlTheOwl 1471 gold badge1 silver badge9 bronze badges
    Add a ment  | 

    1 Answer 1

    Reset to default 12

    Yes, vue.js uses a piece of code like this:

    // detect possible CSP restriction
try {
  new Function('return 1')
} catch (e: any) {
  if (e.toString().match(/unsafe-eval|CSP/)) {
    warn(
      'It seems you are using the standalone build of Vue.js in an ' +
      'environment with Content Security Policy that prohibits unsafe-eval. ' +
      'The template piler cannot work in this environment. Consider ' +
      'relaxing the policy to allow unsafe-eval or pre-piling your ' +
      'templates into render functions.'
    )
  }
}

    Here you have 2 options:

    1. usage of prepiled templates, see discussion at github.

    2. using a vue.runtime.js runtime version instead of vue.js full version.

    VueJS has 2 different versions: the full version and the runtime version. 'unsafe-eval' is only needed for the full version of VueJS; the runtime version doesn't need it. See details here.

    The runtime-only build is fully CSP-pliant. When using the runtime-only build with Webpack + vue-loader or Browserify + vueify, your templates will be prepiled into render functions which work perfectly in CSP environments. See details in Vue CSP environments.

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论