Facebook Javascript SDK and CSP

Question

I'm trying to use the Facebook Javascript SDK in my web application that I protected with CSP. I added "connect.facebook.net" in my "script-src" CSP list and the SDK is loading.

But it looks like the SDK is trying to evaluate a string as Javascript

_{(source: free.fr)}

How can I use the Facebook SDK without having to add "'unsafe-eval'" in my CSP? Is there a CSP-friendly version of this SDK?

Thanks :)

Answer 1

Unfortunately, you can't use the Facebook SDK without 'unsafe-eval', because the Facebook SDK requires it.