Cannot disable unsafe-eval

Resolved mikemackechnie
(@mikemackechnie)

1 year, 10 months ago

I have been hired to implement a CSP for a web site that uses the Mailchimp for WooCommerce plugin.

If I disable unsafe-eval, the site reports an error in mailchimp-woocommerce-public.min.js?ver=4.1.07:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' blob .....

Is there a workaround for this?

Viewing 12 replies - 1 through 12 (of 12 total)

Plugin Author ryanhungate
(@ryanhungate)

1 year, 10 months ago

@mikemackechnie are you having trouble with the mailchimp.com or the “chimpstatic” domains? You’re bringing up a very good point that we’ll be glad to get resolved if possible.
Thread Starter mikemackechnie
(@mikemackechnie)

1 year, 10 months ago
It’s https://chimpstatic.com/ in my Content Security Policy.

We are now running version 4.2.1 of the plugin, but we are still getting the problem.
- This reply was modified 1 year, 10 months ago by mikemackechnie.
Plugin Support khungate
(@khungate)

1 year, 9 months ago

Hi @mikemackechnie thanks for your patience. We wanted to let you know we escalated this issue to the proper channels shortly after your last message, and are awaiting further guidance from the team that works with this particular script at Mailchimp. We’ll update this thread as soon as we know more information.
alibuc
(@alibuc)

1 year, 8 months ago
Hi,

I am testing CSP for a client and noticed it didn’t like the first setTimeout function in the file:

./plugins/mailchimp-for-woocommerce/public/js/mailchimp-woocommerce-public.min.js

Changing from:
```
mailchimpReady=function(e){/in/.test(document.readyState)?setTimeout("mailchimpReady("+e+")",9):e()}
```
to:
```
mailchimpReady=function(e){/in/.test(document.readyState)?setTimeout(() => "mailchimpReady("+e+")",9):e()}
```
seemed to work, possibly caused by this functionality…

https://stackoverflow.com/questions/72061796/using-settimeout-with-strings-triggers-unsafe-eval-alert
Plugin Support KJ
(@kjvextras)

1 year, 7 months ago

That’s great news! Do you need anything else from us? We are still looking into things on our side.

alibuc
(@alibuc)

1 year, 7 months ago

Thanks, modifying the js file on an ad-hoc basis is not my preferred approach but personally I can wait until you resolve it. I can’t speak for @mikemackechnie

Plugin Support KJ
(@kjvextras)

1 year, 7 months ago

Thanks so much for being patient with us @alibuc – This update is in our next release. We will swing back around to let you know when deployed. Chat soon!

Thread Starter mikemackechnie
(@mikemackechnie)

1 year, 7 months ago

Good news! I have applied @alibuc ‘s edit to the js and I can confirm that I can now disable unsafe-eval on my website. Good work @alibuc .

Plugin Support KJ
(@kjvextras)

1 year, 7 months ago

Heck yea! So happy things worked out – We appreciate you swinging back around and letting us know. Thanks for sticking with us! @mikemackechnie

Plugin Support KJ
(@kjvextras)

1 year, 5 months ago

Hi there, just letting you know we have implemented this change in Mailchimp for WooCommerce v5.0

We just wanted to check back with you to see if this was still a problem with our latest plugin Mailchimp for WooCommerce v5.0. Please let us know when you get a moment, we’ll be happy to help troubleshoot further if necessary.

Thread Starter mikemackechnie
(@mikemackechnie)

1 year, 5 months ago

Hi, thanks for getting back to me. I can confirm that our plugin is now running at 5.0 and we are not getting the “‘unsafe-eval’ is not allowed” error. Good work, chaps.

Plugin Support KJ
(@kjvextras)

1 year, 5 months ago

Wahoo! @mikemackechnie If you are pleased, do you mind leaving us an awesome review? We would greatly appreciate it! The Woo community means so very much to us!

Viewing 12 replies - 1 through 12 (of 12 total)

The topic ‘Cannot disable unsafe-eval’ is closed to new replies.

Tags