New in the Community? Get started here

Schneider Electric Exchange Community

Discuss and solve problems in energy management and automation. Join conversations and share insights on products and solutions. Co-innovate and collaborate with a global network of peers.

Register Now
Building Automation Knowledge Base
Showing results for 
Show  only  | Search instead for 
Did you mean: 
PSST, your community homepage is getting a new face - stay tuned and experience the change in few days

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script


TGML Graphic worked without error in EcoStruxure Building Operation 2.0 WebStation. After an upgrade to 3.0, WebStation displays one of the following errors on page load:


Script error in DocumentLoadEvent (Component_Name)
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' blob: 'unsafe-inline'".
Do you want to continue running this script?


This site says...
Script error in DocumentLoadEvent (Component_Name)
Blocked by Content Security Policy
Do you want to continue running this script?


Script error in DocumentLoadEvent (Component_Name)
call to eval() blocked by CSP
Do you want to continue running this script?

Product Line

EcoStruxure Building Operation


  • Building Operation 3.0
  • TGML Graphics


A new security setting in 3.0 disallows eval() statements by default in TGML JavaScripts presented in WebStation. An eval() statement executes a string of characters as code, which can open security vulnerabilities if enabled, something akin to a SQL injection or cross-site scripting attack. If graphics were created in earlier versions and relied on eval() to execute dynamic code, the user will be notified upon opening the graphic in 3.0 WebStation.


Any graphics relying on eval() to execute dynamic code should have their JavaScript functions rewritten to avoid use of eval(). This is the preferred approach with respect to cyber-security.

It is possible, but not recommended, to disable the new security check in WebStation TGML graphics.

  1. Within WorkStation open the Control Panel
  2. Go to Security Settings
  3. Check the box for "Enable WebStation to use unsafe string evaluated JavaScript methods like 'eval'

For more information, see Web Help article: Enabling WebStation to Use Unsafe JavaScript Methods.

Tags (5)
Labels (1)
100% helpful (8/8)