Hi Daniel, Has this been resolved now ? If not, is there a work around this eval() function ?
For security purposes, we have to remove `unsafe-eval` from the CSP and this now breaks our charts... Thank you. On Wednesday, June 10, 2015 at 11:05:01 PM UTC+10, Daniel LaLiberte wrote: > > Hi Anthony, > > As noted in David Konrad's answer to this StackOverflow question > <http://stackoverflow.com/questions/30744615/google-charts-unsafe-eval>, > the remaining use of eval() in Google Charts code involves browser > compatibility. We are now using JSON.parse() in most situations, if it is > available. We also have to resolve at least one more use of eval, when > processing the response to an XHR request for data from a spreadsheet. > The issue here involves calling the JavaScript Date() constructor to create > date values, but this use can be entirely replaced by our Date string > notation. > > But there is one other use of eval that will be more difficult to > resolve. When more than one google.load() call is made to load additional > code, this must be done in the context of the originally loaded code, and > currently, this must be done with an eval(). A simple alternative is to > just not support additional calls to google.load(). > > On Tue, Jun 9, 2015 at 7:29 PM, Anthony D'Andrea <[email protected] > <javascript:>> wrote: > >> Using Google Charts on my site and I removed >> script-src 'unsafe-eval' >> from my CSP headers. Now the chart fails to render. It now displays an >> invalid JSON error. It would be nice if google charts didn't require >> unsafe-eval so I can be more secure. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Google Visualization API" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] >> <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> Visit this group at >> http://groups.google.com/group/google-visualization-api. >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Daniel LaLiberte <https://plus.google.com/100631381223468223275?prsrc=2> > - 978-394-1058 > [email protected] <javascript:> 5CC, Cambridge MA > [email protected] <javascript:> 9 Juniper Ridge Road, Acton MA > -- You received this message because you are subscribed to the Google Groups "Google Visualization API" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-visualization-api. To view this discussion on the web visit https://groups.google.com/d/msgid/google-visualization-api/892c812b-143b-4701-8168-8c3c4167a138%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
