core/php
8
0
Fork 0
Code Issues 7 Pull requests Projects Releases Packages Wiki Activity Actions

fix: add unsafe-eval to production CSP — Livewire uses eval()
Some checks failed
CI / PHP 8.3 (push) Failing after 1m52s
Details
CI / PHP 8.4 (push) Failing after 1m58s
Details

Browse source 
Alpine.js evaluates expressions via eval() at runtime.

Co-Authored-By: Virgil <virgil@lethean.io>
This commit is contained in:
Snider 2026-03-10 05:32:46 +00:00
parent 87ae36ef22
commit 7d7c489509
1 changed files with 3 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/Core/Headers/config.php
View file

@ -169,11 +169,9 @@ return [
'style-src' => ["'unsafe-inline'"],
],
'production' => [
// Livewire and Alpine require unsafe-inline for their
// runtime-injected scripts and styles. Enable nonces
// (SECURITY_CSP_NONCE_ENABLED=true) only if all inline
// content carries the nonce attribute.
'script-src' => ["'unsafe-inline'"],
// Livewire and Alpine require unsafe-inline and unsafe-eval
// for runtime-injected scripts/styles and expression evaluation.
'script-src' => ["'unsafe-inline'", "'unsafe-eval'"],
'style-src' => ["'unsafe-inline'"],
],
],