42323members
212301posts

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script

Issue

TGML Graphic worked without error in EcoStruxure Building Operation 2.0 WebStation. After an upgrade to 3.0, WebStation displays one of the following errors on page load:

unsafe-eval-is-not-an-allowed-source-of-script.png

Script error in DocumentLoadEvent (Component_Name)
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' blob: 'unsafe-inline'".
Do you want to continue running this script?

blocked-by-content-security-policy.png

This site says...
Script error in DocumentLoadEvent (Component_Name)
Blocked by Content Security Policy
Do you want to continue running this script?

call-to-eval-blocked-by-csp.png

Script error in DocumentLoadEvent (Component_Name)
call to eval() blocked by CSP
Do you want to continue running this script?

Product Line

EcoStruxure Building Operation

Environment

  • Building Operation 3.0
  • TGML Graphics

Cause

A new security setting in 3.0 disallows eval() statements by default in TGML JavaScripts presented in WebStation. An eval() statement executes a string of characters as code, which can open security vulnerabilities if enabled, something akin to a SQL injection or cross-site scripting attack. If graphics were created in earlier versions and relied on eval() to execute dynamic code, the user will be notified upon opening the graphic in 3.0 WebStation.

Resolution

Any graphics relying on eval() to execute dynamic code should have their JavaScript functions rewritten to avoid use of eval(). This is the preferred approach with respect to cyber-security.

Work-Around
It is possible, but not recommended, to disable the new security check in WebStation TGML graphics.

  1. Within WorkStation open the Control Panel
  2. Go to Security Settings
  3. Check the box for "Enable WebStation to use unsafe string evaluated JavaScript methods like 'eval'
    enable-webstation-to-use-unsafe-string-evaluated-javascript.png

For more information, see Web Help article: Enabling WebStation to Use Unsafe JavaScript Methods.

Tags (5)
Labels (1)
100% helpful (9/9)