'unsafe-eval' is not an allowed source of script

Sorry for all of these posts, I have never coded in my life before.

I am getting error

  • Executing: | storeEval | storedVars[‘Raw_CCC’].slice(8) | USD |

  • [error]

Error in runEval code: Refused to evaluate a string as JavaScript because ‘unsafe-eval’ is not an allowed source of script in the following Content Security Policy directive: “script-src ‘self’ https://assets.coinbase.com https://www.google-analytics.com/analytics.js https://static.statsjar.com/analytics/rsxdhm2zkI.js https://cdn.plaid.com/link/v2/stable/link-initialize.js https://gc.kis.v2.scr.kaspersky-labs.com wss://gc.kis.v2.scr.kaspersky-labs.com”.

I looked it up, and found the following:

Code like the following does not work:

alert(eval(“foo.bar.baz”));
window.setTimeout(“alert(‘hi’)”, 10);
window.setInterval(“alert(‘hi’)”, 10);
new Function(“return foo.bar.baz”);

Evaluating strings of JavaScript like this is a common XSS attack vector. Instead, you should write code like:

alert(foo && foo.bar && foo.bar.baz);
window.setTimeout(function() { alert(‘hi’); }, 10);
window.setInterval(function() { alert(‘hi’); }, 10);
function() { return foo && foo.bar && foo.bar.baz };

I don’t see a pattern to how these are being rewritten. How do I re-write my command so that this will work? I don’t know why this is happening, since the command should not be sent to the website to be executed, but performed inside Kantu.

I also saw that I could add "“content_security_policy”: “script-src ‘self’ ‘unsafe-eval’; object-src ‘self’” to my “policy” to relax security. Where do I put that in?

Thanks, Nathan

Please see this post: [Feature Request] [Issue #279] Error in runEval code: Refused to evaluate a string as JavaScript because 'unsafe-eval'

Summary: It is a website related issue, and a new “sandboxed” storeEval is planned

Alright, thank you. That means that I cannot do any storeEval commands in my script. Difficult.

Yes you can.
You just have to switch to tab (with selectWindow) where storeEval is allowed.
E.g. a9t9.com

Wonderful, thank you!

Meanwhile available as executeScript_Sandbox