Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Facebook Javascript SDK and CSP

I'm trying to use the Facebook Javascript SDK in my web application that I protected with CSP. I added "connect.facebook.net" in my "script-src" CSP list and the SDK is loading.

But it looks like the SDK is trying to evaluate a string as Javascript


(source: free.fr)

How can I use the Facebook SDK without having to add "'unsafe-eval'" in my CSP? Is there a CSP-friendly version of this SDK?

Thanks :)

like image 489
user1534422 Avatar asked Aug 08 '14 05:08

user1534422


1 Answers

Unfortunately, you can't use the Facebook SDK without 'unsafe-eval', because the Facebook SDK requires it.

like image 196
yAnTar Avatar answered Oct 01 '22 02:10

yAnTar