Because eval is literally unsafe. Eval in every language means “take this string and execute it code.” Sure, you may be using eval in a semi-safe way, but as long as you allow it at all, you are saying “anyone is allowed to execute arbitrary code in my application given an entry point”. 2022 edit: … Read more
The correct answer to my question was given as an answer to another, similar question. It refers to the CSP specification which clearly states, that the policy only affects resources which create a new “execution context”. This means, it is not necessary to add the CSP to REST API responses which are not meant to … Read more
default-src, frame-ancestors, and frame-src are all part of the Content-Security-Policy response header. frame-src Restricts what domains and page can load in an iframe. The HTTP Content-Security-Policy (CSP) frame-src directive specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>. For example: If the website at https://example.com has a response header … Read more
According to the grammar in the CSP spec, you need to specify schemes as scheme:, not just scheme. So, you need to change the image source directive to: img-src ‘self’ data:;