New in the Community? Get started here

Schneider Electric Exchange Community

Discuss and solve problems in energy management and automation. Join conversations and share insights on products and solutions. Co-innovate and collaborate with a global network of peers.

Register Now
Knowledge Base
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Discover the Exchange Community Top members of August

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script

Issue

TGML Graphic worked without error in EcoStruxure Building Operation 2.0 WebStation. After an upgrade to 3.0, WebStation displays one of the following errors on page load:

unsafe-eval-is-not-an-allowed-source-of-script.png

Script error in DocumentLoadEvent (Component_Name)
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' blob: 'unsafe-inline'".
Do you want to continue running this script?

blocked-by-content-security-policy.png

This site says...
Script error in DocumentLoadEvent (Component_Name)
Blocked by Content Security Policy
Do you want to continue running this script?

call-to-eval-blocked-by-csp.png

Script error in DocumentLoadEvent (Component_Name)
call to eval() blocked by CSP
Do you want to continue running this script?

Product Line

EcoStruxure Building Operation

Environment

  • Building Operation 3.0
  • TGML Graphics

Cause

A new security setting in 3.0 disallows eval() statements by default in TGML JavaScripts presented in WebStation. An eval() statement executes a string of characters as code, which can open security vulnerabilities if enabled, something akin to a SQL injection or cross-site scripting attack. If graphics were created in earlier versions and relied on eval() to execute dynamic code, the user will be notified upon opening the graphic in 3.0 WebStation.

Resolution

Any graphics relying on eval() to execute dynamic code should have their JavaScript functions rewritten to avoid use of eval(). This is the preferred approach with respect to cyber-security.

Work-Around
It is possible, but not recommended, to disable the new security check in WebStation TGML graphics.

  1. Within WorkStation open the Control Panel
  2. Go to Security Settings
  3. Check the box for "Enable WebStation to use unsafe string evaluated JavaScript methods like 'eval'
    enable-webstation-to-use-unsafe-string-evaluated-javascript.png
Tags (1)
Labels (1)
100% helpful (2/2)