FEATURE: Completely remove unsafe-eval from CSP

Plugins can add it via API if they need to use `eval`: ``` extend_content_security_policy(script_src: [:unsafe_eval]) ``` See https://meta.discourse.org/t/104243
2024-11-23 01:47:22 +08:00 · 2019-12-13 12:27:16 +01:00 · 2019-12-13 12:27:16 +01:00 · f62215046f
commit f62215046f
parent 1fb7a6297c
2 changed files with 0 additions and 4 deletions
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@ -1404,9 +1404,6 @@ security:
  content_security_policy_script_src:
    type: list
    default: ""
-  content_security_policy_allow_unsafe_eval:
-    default: true
-    hidden: true
  invalidate_inactive_admin_email_after_days:
    default: 365
    min: 0
--- a/lib/content_security_policy/default.rb
+++ b/lib/content_security_policy/default.rb
@ -51,7 +51,6 @@ class ContentSecurityPolicy
        "#{base_url}/mini-profiler-resources/",
        *script_assets
      ].tap do |sources|
-        sources << :unsafe_eval if SiteSetting.content_security_policy_allow_unsafe_eval
        sources << 'https://www.google-analytics.com/analytics.js' if SiteSetting.ga_universal_tracking_code.present?
        sources << 'https://www.googletagmanager.com/gtm.js' if SiteSetting.gtm_container_id.present?
      end