Content Security Policy Config

Hi,

Nextcloud server and apps require the unsafe-eval entry in the CSP header for now. Devs are already aware of that and trying to remove it:

Because it is not easy to do and requires a lot changes in the code, it takes some time. However it is in the Backlog of the “Security Hardenings” (first column on the left side):

This CSP header entry should not be a serious issue though since @LukasReschke made some changes:

This seems rather hard to accomplish due to our existing JS code base. As a first step I’ve added a hardening to jQuery that makes the unsafe-eval in jQuery a non-issue at least: #3874

(Source: Get rid of all unsafe-eval Javascripts · Issue #1185 · nextcloud/server · GitHub)

As soon as the code base has been adapted the CSP header will be removed by Nextcloud with a feature update. So there is nothing to do for you. Just wait until it’s “enhanced” (not to say fixed) :slight_smile:

But I’m with you; I’m also hoping it is done soon :slight_smile: