I'm trying to use the Facebook Javascript SDK in my web application that I protected with CSP. I added "connect.facebook.net" in my "script-src" CSP list and the SDK is loading. But it looks like the SDK is trying to evaluate a string as Javascript <img src="https://i.stack.imgur.com/mZDWv.png" alt=""> (source: free.fr) How can I use the Facebook SDK without having to add "'unsafe-eval'" in my CSP? Is there a CSP-friendly version of this SDK? Thanks :)

Facebook Javascript SDK and CSP

Unfortunately, you can't use the Facebook SDK without 'unsafe-eval', because the Facebook SDK requires it.

196

answered Oct 01 '22 02:10

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!