Hi Anthony, As noted in David Konrad's answer to this StackOverflow question <http://stackoverflow.com/questions/30744615/google-charts-unsafe-eval>, the remaining use of eval() in Google Charts code involves browser compatibility. We are now using JSON.parse() in most situations, if it is available. We also have to resolve at least one more use of eval, when processing the response to an XHR request for data from a spreadsheet. The issue here involves calling the JavaScript Date() constructor to create date values, but this use can be entirely replaced by our Date string notation.
But there is one other use of eval that will be more difficult to resolve. When more than one google.load() call is made to load additional code, this must be done in the context of the originally loaded code, and currently, this must be done with an eval(). A simple alternative is to just not support additional calls to google.load(). On Tue, Jun 9, 2015 at 7:29 PM, Anthony D'Andrea <[email protected]> wrote: > Using Google Charts on my site and I removed > script-src 'unsafe-eval' > from my CSP headers. Now the chart fails to render. It now displays an > invalid JSON error. It would be nice if google charts didn't require > unsafe-eval so I can be more secure. > > -- > You received this message because you are subscribed to the Google Groups > "Google Visualization API" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to > [email protected]. > Visit this group at > http://groups.google.com/group/google-visualization-api. > For more options, visit https://groups.google.com/d/optout. > -- Daniel LaLiberte <https://plus.google.com/100631381223468223275?prsrc=2> - 978-394-1058 [email protected] <[email protected]> 5CC, Cambridge MA [email protected] <[email protected]> 9 Juniper Ridge Road, Acton MA -- You received this message because you are subscribed to the Google Groups "Google Visualization API" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/google-visualization-api. For more options, visit https://groups.google.com/d/optout.
