From 7d7c4895097b49186ad5b24e53f0b39ec4a18cca Mon Sep 17 00:00:00 2001
From: Snider <snider@host.uk.com>
Date: Tue, 10 Mar 2026 05:32:46 +0000
Subject: [PATCH] =?UTF-8?q?fix:=20add=20unsafe-eval=20to=20production=20CS?=
 =?UTF-8?q?P=20=E2=80=94=20Livewire=20uses=20eval()?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Alpine.js evaluates expressions via eval() at runtime.

Co-Authored-By: Virgil <virgil@lethean.io>
---
 src/Core/Headers/config.php | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/src/Core/Headers/config.php b/src/Core/Headers/config.php
index 1d0815f..34da29f 100644
--- a/src/Core/Headers/config.php
+++ b/src/Core/Headers/config.php
@@ -169,11 +169,9 @@ return [
                 'style-src' => ["'unsafe-inline'"],
             ],
             'production' => [
-                // Livewire and Alpine require unsafe-inline for their
-                // runtime-injected scripts and styles. Enable nonces
-                // (SECURITY_CSP_NONCE_ENABLED=true) only if all inline
-                // content carries the nonce attribute.
-                'script-src' => ["'unsafe-inline'"],
+                // Livewire and Alpine require unsafe-inline and unsafe-eval
+                // for runtime-injected scripts/styles and expression evaluation.
+                'script-src' => ["'unsafe-inline'", "'unsafe-eval'"],
                 'style-src' => ["'unsafe-inline'"],
             ],
         ],