Geek Answers Handbook

CSP is unsafe-eval using the Google Maps API

Getting script-src 'unsafe-eval' error while trying to use the Google Maps API.

<script src="https://maps.googleapis.com/maps/api/js?v=3.exp&sensor=false"></script>

Here's the console error:

 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' ' *.gstatic.com *.googleapis.com *.google-analytics.com *.google.com".

You would think that Google would not have any unsafe triggers in its libraries. If it could be my side, my code is below:

Js

 function initialize() { // Create the map. var mapOptions = { zoom: 4, center: new google.maps.LatLng(37.09024, -95.712891), mapTypeId: google.maps.MapTypeId.ROADMAP, zoomControl: true, streetViewControl: false }; var map = new google.maps.Map(document.getElementById('map-canvas'), mapOptions); google.maps.event.addListener(map, "click", function (e) { var marker = new google.maps.Marker({ draggable: true, raiseOnDrag: false, map: map, position: e.latLng }); var radius = Math.pow(2, (20 - map.getZoom())) * 3; if (radius < 100) { radius = 100; } var circle = new google.maps.Circle({ map: map, editable: true, radius: radius, fillColor: '#0159e5', strokeColor: '#0159e5', strokeWeight: 1, geodesic: true }); circle.bindTo('center', marker, 'position'); google.maps.event.addListener(circle, 'radius_changed', function() { if (circle.getRadius() < 100){ circle.setRadius(100); } }); //Set form fields document.getElementById("geo-fence-lat").value = marker.getPosition().lat(); document.getElementById("geo-fence-long").value = marker.getPosition().lng(); document.getElementById("geo-fence-radius").value = Math.ceil(radius/100)*100; google.maps.event.clearListeners(map, "click"); addListeners(circle); }); }

Any corrections or ideas for alternatives to GMaps would be appreciated.

Edit: These are offensive lines in Chrome. Found in maps.gstatic.com maps-api-v3 / api / js / 21/2 / main.js.

 Kh.main = function(a) { eval(a) }; fg("main", {}); function ql(a) { return O(eval, k, "window." + a + "()") }
+1
javascript google-maps google-maps-api-3 content-security-policy
source share
1 answer

It looks like it was mostly fixed in Google Maps 3.23 - see issue 4201

There are several more instances of eval in the code, such as eval('document.namespaces') inside try blocks (see related closure fix )

+1
source share

More articles:


All Articles