For a customer we’re implementing Content-Security-Policy (CSP), loading Piwik using a nonce. I can’t share the customer details right now because that’s possibly sensitive data.
In the loaded script (https://{id}.containers.piwik.pro/{uuid}.js) I see this bit of code:
this.verifyIfEvalAllowed=function(){try{return(0,eval)("1 + 1"),!0}catch(e){return!1}}
Calling eval in the global scope.
Default Content-Security-Policy disallows use of eval. You do catch the EvalError, but the browser will still report a CSP error: Content-Security-Policy: The page’s settings blocked a JavaScript eval (script-src) from being executed because it violates the following directive: (Firefox). With a report-uri enabled, this would keep flooding our logs. But even just causing a browser error like this is unwanted behavior.
I’ve read Content Security Policy (CSP). We can maybe take a few more steps. But I don’t think I see this being referenced.