Google Charts unsafe-eval

Question

I have removed script-src: 'unsafe-eval' from my CSP headers for security purposes. I have noticed this now broke Google Charts. The chart now fails to render and displays the error:

Invalid JSON string: {}

Any ideas or is Google just blowing it and allowing unsafe-eval in their libraries? I had the same problem with their Maps and had to go with a different library.

Answer 1

Google Visualization are indeed using eval() internally

Currently Google Visualization API is using:
1. eval on corechart.I.js (3 times)
2. eval on jsapi

Taken from here, a bug report regarding GV and Chrome App Manifest v2 compatibility, about 1 month old. Google Visualization does not itself complies with the rules of Manifest V2 :

Is your code or library using eval(), new Function(), innerHTML, setTimeout(), or otherwise passing strings of JS code that are dynamically evaluated?

1. Use JSON.parse() if you’re parsing JSON code into an object.
2. Use a CSP-friendly library, for example, AngularJS.
3. Create a sandbox entry in your manifest and run the affected code in the sandbox, using postMessage() to communicate with the sandboxed page.

So google themselves are pretty much aware of the problem.

My impression is that GV internally are using eval(jsonString) instead of JSON.parse() due to browser compatibility. JSON.parse() was not available prior IE8, prior FF 3.1 and so on (see compatibility list), thats why you get the invalid JSON error when you block eval() out.

Since this also affects how GV complies to Manifest rules, I guess the issue will disappear very, very soon.