Triggers CSP violations if unsafe-eval is not used

[sorin-davidoi]

Using the script-src directive without 'unsafe-eval' results in a violation:

Content Security Policy: The page's settings blocked the loading of a resource at eval ("script-src").

This is caused by the following line in http://static.filestackapi.com/filestack-js/3.17.0/filestack.min.js:

try{i=i||new Function("return this")()}catch(t)

While this doesn't seem to affect the functionality of the library, if one uses the report-uri directive it will result in useless HTTP requests being made.

[Cherry]

This is affecting us in production too. Is there any way to disable this unsafe-eval call?

[kYann]

Hello, same here !

[phthhieu]

Hi team, any update on this? We have the same issue at version 3.36.4, the violation we trace at filestack-js/build/browser/filestack.esm.js, Line 25:76574

[truongnguyen-eh]

I can confirm upgrading to Webpack 5 will resolve the problem.
The current violation is from the logic used for safely accessing the global object. In builds using Webpack 5, the code first checks globalObject, which is widely supported by modern browsers, ensuring it does not reach unsafe-eval code.

It would be really great if we can proceed this PR #503