"Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script" when trying to run CKEditor

Question

I am running the Invenio digital repository framework locally, which comes with a node module for running CKEditor, whose rich-text capabilities are an essential requirement for this project. I've tried to amend my configuration via Invenio's pretty threadbare documentation without success, so I'm going about it the old-fashioned way: loading the .js file via:

<script src="/static/node_modules/ckeditor/ckeditor.js"></script>

It's definitely trying to load, but I keep getting an error in the console I've never come across before:

ckeditor.js:299 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' 'unsafe-inline'".

I don't see much documentation about this error online, except regarding a Chrome extension (the error appears in the console for all browsers, not just Chrome) and I'm very uncertain about how to proceed. This is an unusual enough error on its own, but I'd also welcome some clarity about how to instantiate the CKEditor in Invenio OOTB. Thanks for your help.

Answer 1

The error you're seeing is related to the Content Security Policy that's set in the headers of your site. Among other things, default-src 'self' says "don't allow eval".

The way around it is to add 'unsafe-eval' to the policy. Also note: you have 'unsafe-inline' twice. The second one isn't doing anything so you could replace that with 'unsafe-eval'. Also note: eval is considered bad practice and insecure -- hence the "unsafe". I'm guessing that ckeditor uses it only for good, though.