Usage of Function() contructor not permitted under CSP
Caele opened this issue ยท 0 comments
Caele commented
๐ Bug report
Picasso has instances of Function() constructor usage which throws errors when content-security-polocy headers are enforced. To make it work you are required to add unsafe-eval which is generally not recommended.
Steps to Reproduce
- Run in an environment with CSP enforced, using for example Nebula and the sn-bar-chart
- Error will be thrown
Expected behavior
No errors
Versions
- picasso.js: ?
- Browser: All browsers supporting CSP
Additional context
I can provide a demo