dom.template breaks with Content-Security-Policy

Question

dom.template breaks with Content-Security-Policy

thet opened this issue 2 years ago · 1 comments

When a Content-Security-Policy header or meta tag is set, then core.dom.template breaks as long as unsafe-eval is not allowed.

Setting the webpack dev server for a demo with this CSR policy like this does already break dom.template:

config.devServer.headers["Content-Security-Policy"] =
    "default-src https: http: data: 'self' 'unsafe-inline'; script-src https: http: data: 'self' 'unsafe-inline';";

The error is:

See also:

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Answer 1 · 2022-12-19T15:13:40.000Z

Fixed via: #1104