Error: Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".

The error only shows in other browser and not chrome. I found some answers and they say to add

<meta http-equiv="Content-Security-Policy" content="font-src 'self' 'unsafe-inline' data:; img-src 'self' data:; style-src 'self' 'unsafe-inline' data:; script-src 'unsafe-eval' 'unsafe-inline' data:; default-src 'self' localhost:*">

Error: Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".

The error only shows in other browser and not chrome. I found some answers and they say to add

<meta http-equiv="Content-Security-Policy" content="font-src 'self' 'unsafe-inline' data:; img-src 'self' data:; style-src 'self' 'unsafe-inline' data:; script-src 'unsafe-eval' 'unsafe-inline' data:; default-src 'self' localhost:*">

Reference: Content Security Policy

And after adding the meta tag an error pops up on refresh of the browser including chrome.

Error: Refused to load the script '' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'unsafe-inline' data:". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Please help.

• javascript
• html
• css

• Why do you need to set that meta tag? I believe it's generally used rarely. – cascading-jox Commented May 27, 2022 at 16:33
• Its giving me the error without using it. The first error is what I get without setting the meta tag. – Fat Fatty Commented May 27, 2022 at 16:36
• You should only enable unsafe-eval if it is absolutely necessary, which in most cases, it is not. You should audit your dependencies to find out which one is trying to use eval and replace it with something safer. – Besworks Commented May 28, 2022 at 1:07

1 Answer 1

I found the answer. The problem was with helmet node module. When I remove the app.use(helmet()) from my backend, The problem goes away.

If you're also having this error, I replaced the app.use(helmet()) with app.use( helmet({ contentSecurityPolicy: false, }) );