Visiting the modules admin (/admin/modules) the console shows this error:
tableheader.js?osdq8l:83 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".
This happens after activating the Security Kit Module and activating the function -Send HTTP response header- that turns on the Content Security Policy.
If the Module Filter is installed, the modules admin page gets broken.
The way to solve it is to add 'unsafe-eval' to the script-src directive, however it is not recommended.
Comments
Comment #2
Ayesh CreditAttribution: Ayesh as a volunteer commentedGood call to remove the
eval()
call. There are a few more JSeval()
calls, and the Drupal.settings expansion that will be blocked with a tight CSP. However, try with the attached patch. It has a small function that executes a given variable from thewindow
object, and return the callbacks return value.Comment #4
collinhaines CreditAttribution: collinhaines commentedConfirmed patch is still valid 3 years later. Flawlessly patches in 7.73.
No apparent visible issues with the Module Filter module, any core tables (content overview), nor any view tables (Admin Views, Views).
Comment #5
Bohus UlrychThanks. Seems to be working well. D7 version 7.78
Comment #6
gappleHaven't tested, but it looks like
callHeaderOffsetFunction
should return0
instead ofnull
if the specified function isn't available.Comment #7
gappleAnd there's a patch available for
Drupal.settings
: #2783153: [D7] Convert drupalSettings from JavaScript to JSON, to allow for CSP in the futureComment #8
izmeez CreditAttribution: izmeez commentedAdded to #3207851: [meta] Priorities for 2021-06-02 release of Drupal 7
Comment #9
berliner CreditAttribution: berliner commentedI had issues in combination with the navbar module where I see these errors in the log (in Brave and chrome, not tested in other browsers so far):
The attached updated patch fixes that issue for me.
Comment #10
Fabianx CreditAttribution: Fabianx as a volunteer and at Tag1 Consulting commentedThis is similar to what we had before, but fixes one more bug.
Let's however also fix overlay.js AND also ensure that while we go through the chain that we always check the typeof before for object or function and return 0 instead of erroring out.
It seems the eval silently failed instead and returned 0.
Comment #11
mcdruidhttps://git.drupalcode.org/project/drupal/-/blob/7.82/modules/overlay/ov...
...is the other place we spotted some very similar code that should be fixed at the same time.
Comment #12
berliner CreditAttribution: berliner commentedUpdated the patch from #9 based on the comments from #10 and #11.
Comment #13
poker10 CreditAttribution: poker10 at ActivIT s.r.o. commentedI have tested the patch #12 and it seems to work correctly (with and without overlay). Errors from the console are gone. I have found two small issues (probably could be fixed on commit).
1. Inconsistent usage of quotes (single vs double)
2. Strict vs loose comparison (probably we should use strict comparison on both places as it is used in jQuery libraries)
Both "problems" are in these two conditions:
Comment #15
mcdruidI made those changes on commit, thanks @poker10.
Thanks everyone!