CSP Violation when `unsafe-eval` is not set

Question

CSP Violation when `unsafe-eval` is not set

dgautsch opened this issue 4 months ago · comments

Reporting a bug?

For sites that have a CSP and do not inlcude unsafe-eval The i18n compilation file breaks due to this line:

https://github.com/intlify/vue-i18n-next/blob/8fd6a1b5fdacba7024ce260250a6d289032036cc/packages/core-base/src/compilation.ts#L94

core-base.mjs:942 Uncaught (in promise) EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'nonce-doNVvddpMzAmzhAPA2NgiyY69SiU88Xx' 'strict-dynamic' https:".

    at new Function (<anonymous>)
    at compileToFunction (core-base.mjs:942:1)
    at compileMessageFormat (core-base.mjs:1229:1)
    at translate (core-base.mjs:1076:1)
    at vue-i18n.mjs:564:1
    at wrapWithDeps (vue-i18n.mjs:513:1)
    at Object.t (vue-i18n.mjs:564:1)
    at vue-i18n.mjs:564:116
    at wrapWithDeps (vue-i18n.mjs:551:1)
    at Object.t (vue-i18n.mjs:564:1)

Expected behavior

The site should be able to run the i18n library without needing to add unsafe-eval to the Content Security Policy

Reproduction

I'd recreate in stackblitz but I can't set custom security policies.

System Info

"vue-i18n": "9.13.1"
"vue": "3.4.21",

Screenshot

No response

Additional context

No response

Validations

Read the Contributing Guidelines
Read the Documentation
Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
Check that this is a concrete bug. For Q&A open a GitHub Discussions

Dan Gautsch commented 4 months ago

Thanks!

kazuya kawaguchi · Answer 1 · Thu May 02 2024 11:13:56 GMT+0800 (China Standard Time)

Thank you for your reporting!

You can use jit compilation.
https://vue-i18n.intlify.dev/guide/advanced/optimization.html

Please check it out!

Thanks!