Skip to content

Commit f130576

Browse files
committed
fix(viewer): add unsafe-eval to CSP for Vue 3 runtime template compiler
Vue 3 CDN build compiles in-DOM HTML templates via new Function() at runtime. Without 'unsafe-eval' in script-src the app fails to mount. This is unavoidable without a build step (pre-compiled SFCs). Also adds cdn.jsdelivr.net to connect-src to suppress the browser DevTools warning about blocked source map requests.
1 parent 494b49e commit f130576

1 file changed

Lines changed: 3 additions & 1 deletion

File tree

cap/app/viewer/index.html

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,10 @@
44
<head>
55
<meta charset="UTF-8">
66
<meta name="viewport" content="width=device-width, initial-scale=1">
7+
<!-- 'unsafe-eval' required: Vue 3 CDN build compiles in-DOM templates via new Function() at runtime.
8+
Remove if switching to a pre-compiled (SFC + build step) approach. -->
79
<meta http-equiv="Content-Security-Policy"
8-
content="default-src 'none'; script-src 'self' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline'; connect-src 'self'">
10+
content="default-src 'none'; script-src 'self' https://cdn.jsdelivr.net 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' https://cdn.jsdelivr.net">
911
<title>Data Browser</title>
1012

1113
<!-- Theme init: runs before body renders to avoid flash of wrong theme -->

0 commit comments

Comments
 (0)