ngx-formly: Formly does not work with Content-Security-Policy header script-src 'self' because it contains a Function() constructor.
Description Formly does not work with Content-Security-Policy header script-src ‘self’ because it contains a Function() constructor.
Minimal Reproduction Set Content-Security-Policy header to script-src ‘self’ en use a formly form. You will get the following error.
ngx-formly-core.js:1806 EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://js-agent.newrelic.com https://bam.eu01.nr-data.net https://bam.nr-data.net 'nonce-T6zPBgcT9d9nllSapiDYb8eIumnbFNhH'".
at Function (<anonymous>)
at F (ngx-formly-core.js:1803)
at V.onPopulate (ngx-formly-core.js:1862)
at ngx-formly-core.js:606
at Array.forEach (<anonymous>)
at k._buildForm (ngx-formly-core.js:602)
at ngx-formly-core.js:612
at Array.forEach (<anonymous>)
at k._buildForm (ngx-formly-core.js:608)
at k.buildForm (ngx-formly-core.js:589)
Add ‘unsave-eval’ to the header and it will work.
Your Environment
- Angular version: 8.2.8
- Formly version: 5.5.8
Additional context Please offer some advice on how to get Formly to work without removing the eval protection. Thank you.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 15 (9 by maintainers)
Commits related to this issue
- fix(core): support Content-Security-Policy header script-src 's… (#2199) fix #2157 — committed to ngx-formly/ngx-formly by aitboudad 4 years ago
- fix(core): support Content-Security-Policy header script-src 's… (#2199) fix #2157 — committed to ngx-formly/ngx-formly by aitboudad 4 years ago
resolved locally still need to add some tests. I’ll try to finish it at the end of this week, please remind me in the case I didn’t ⌛
This issue has been fixed and released as part of v5.6.0 release.
Please let us know, in case you are still encountering a similar issue/problem. Thank you!