'unsafe-eval' is not an allowed source of script


#1

Sorry for all of these posts, I have never coded in my life before.

I am getting error

  • Executing: | storeEval | storedVars[‘Raw_CCC’].slice(8) | USD |

  • [error]

Error in runEval code: Refused to evaluate a string as JavaScript because ‘unsafe-eval’ is not an allowed source of script in the following Content Security Policy directive: “script-src ‘self’ https://assets.coinbase.com https://www.google-analytics.com/analytics.js https://static.statsjar.com/analytics/rsxdhm2zkI.js https://cdn.plaid.com/link/v2/stable/link-initialize.js https://gc.kis.v2.scr.kaspersky-labs.com wss://gc.kis.v2.scr.kaspersky-labs.com”.

I looked it up, and found the following:

Code like the following does not work:

alert(eval(“foo.bar.baz”));
window.setTimeout(“alert(‘hi’)”, 10);
window.setInterval(“alert(‘hi’)”, 10);
new Function(“return foo.bar.baz”);

Evaluating strings of JavaScript like this is a common XSS attack vector. Instead, you should write code like:

alert(foo && foo.bar && foo.bar.baz);
window.setTimeout(function() { alert(‘hi’); }, 10);
window.setInterval(function() { alert(‘hi’); }, 10);
function() { return foo && foo.bar && foo.bar.baz };

I don’t see a pattern to how these are being rewritten. How do I re-write my command so that this will work? I don’t know why this is happening, since the command should not be sent to the website to be executed, but performed inside Kantu.

I also saw that I could add "“content_security_policy”: “script-src ‘self’ ‘unsafe-eval’; object-src ‘self’” to my “policy” to relax security. Where do I put that in?

Thanks, Nathan


#2

Please see this post: [Feature Request] [Issue #279] Error in runEval code: Refused to evaluate a string as JavaScript because 'unsafe-eval'

Summary: It is a website related issue, and a new “sandboxed” storeEval is planned


#3

Alright, thank you. That means that I cannot do any storeEval commands in my script. Difficult.


#4

Yes you can.
You just have to switch to tab (with selectWindow) where storeEval is allowed.
E.g. a9t9.com


#5

Wonderful, thank you!