Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error: call to Function() blocked by CSP #861

Closed
loucyx opened this issue Sep 4, 2014 · 6 comments
Closed

Error: call to Function() blocked by CSP #861

loucyx opened this issue Sep 4, 2014 · 6 comments

Comments

@loucyx
Copy link

loucyx commented Sep 4, 2014

CSP (content-security-policy) blocks Handlebars v2.0.0 rendering @ handlebars.js:2236

return Function.apply(this, params);

Allow 'unsafe-eval' is not an option. Is there a safe implementation of handlebars for the client side?

@kpdecker
Copy link
Collaborator

kpdecker commented Sep 5, 2014

What version of handlebars are you referencing in the file and line reference above?

@loucyx
Copy link
Author

loucyx commented Sep 5, 2014

Added to the post (v2.0.0).

Edit: Solved implementing precompile.

@loucyx loucyx closed this as completed Sep 5, 2014
@loucyx loucyx reopened this Sep 5, 2014
@loucyx loucyx closed this as completed Sep 5, 2014
@kpdecker
Copy link
Collaborator

kpdecker commented Sep 5, 2014

Great to hear, that was going to be my suggestion but I wanted to make sure that it was the problem that I was thinking that it was.

@qinfchen
Copy link

Is there another solution without precompile?

@loucyx
Copy link
Author

loucyx commented Nov 10, 2014

I don't think so. Still, the precompile is a good option not only to avoid the "eval block", but also to have better performance.

@mmerezhko-hv
Copy link

mmerezhko-hv commented Sep 1, 2023

Hello guys, this is not resolved. Still seeing this line in the latest version:

https://cdn.jsdelivr.net/npm/handlebars@latest/dist/handlebars.js

if (asObject) {
	      params.push(source);

	      return Function.apply(this, params);
	    } else {
	      return this.source.wrap(['function(', params.join(','), ') {\n  ', source, '}']);
	    }

So the question remains: Is there a safe implementation of handlebars for the client side?

#1934

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants