Package Development Error: "Refused to evaluate a string as JavaScript ..."


#1

Hi.

I’m developing an atom package which uses a third-party nodejs package, which I’ve in turn installed via “npm install”.
When calling “toggle” I get the following error:


Uncaught EvalError: Refused to evaluate a string as JavaScript because ‘unsafe-eval’ is not an allowed source of script in the following Content Security Policy directive: “script-src ‘self’”.

I’ve followed the stracktrace and in one of the JS files the third-party package really calls “eval”. I’m not sure how to find a work-around for this issue. Isn’t atom run in some kind of “sandbox”? If yes, then why would evaluation of a string as JS code pose a threat?

Thanks.


#2

Hi @johndoe

Atom, or chromium has this policy of disallowing eval in some environments. The third party modules you’re using in your package are using eval in their code. You should open an issue on their repository asking them to replace eval usage with an alternative solution.

Tho while they do that, you can use the loophole as a workaround