Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

littles's avatar

Struggling with "unsafe-eval" in my Laravel 11 project

I don`t get it with the CSP for my Project. Using Laravel 11 with Vite, Filament and Tailwind. Im running in some trouble with my CSP because i have to declare unsafe-eval to make it work. That doesnt feel like a good idea to me, just said. Im fairly new to security stuff. Nonce looks to me to be the way to go, but i dont get it. Any advise on Security and how important it is to not use unsafe eval would be nice. I hope to get a best Practice, with explanations to get a better undestanding not a copy/paste snippet.

0 likes
8 replies
vincent15000's avatar

Hello,

I already had to add some unsafe-eval to allow some third party scripts.

I don't have any real explanations to give you, but perhaps some logic.

You need to execute some scripts from a third party service in your code, otherwise it doesn't work. If you have chosen this service, that means that your trust this service. So you can allow this script to run in your application.

But you should accept ONLY the script itself and not the entire domain name where is the script. This way no other script will be able to run in your application, even coming from the same domain name.

If you really don't want such a situation, you can download the script and host it in your own server.

I hope it will help you ;).

1 like
jlrdw's avatar

Try using JSON instead. Use JSON.parse where needed.

1 like
vincent15000's avatar

@jlrdw I don't understand why you suggest this. What's the relationship between JSON and CSP ?

jlrdw's avatar

@vincent15000

unsafe eval allows the application to use the eval() JavaScript function.

Usually with array data. Use json and loop the returned json instead was my intent in the answer.

Also unsafe inline is bad, use a event listener.

Example:

If you have this:

<a href="javascript:void(0);" id="testme">testme</a>

In inspector you can change to this:

<a id="testme" onclick="alert('Hello World')">testme</a>

Which a user can also put a malicious script.

I normally use an event listener. But safer having external JS files.

2 likes
littles's avatar

Thanks for your help. Right now im using script-src 'self' 'unsafe-inline' 'unsafe-eval' . As far as i understand that it means only unsafe-inline and unsafe-eval scripts from my domain are allowed. Is that a secure solution?

2 likes
littles's avatar

As far as i can see now, my problem starts with the usage of Filament. Tailwind, Livewire, Alpine.js seems to me the troublemakers. They need unsafe-inline and unsafe-eval to work out of the Box. If i want to use them with an strict policy i have to (re-)write a lot of code from the basis to get it integrated. To get rid of the unsafe-inline i could use nonce, not really sure if it`s better to avoid that also. It feels like the usage of Filament is right now not a good solution to me, because of its security concerns, also tailwind seems like a trapdoor to me. If anybody has a best practice in how to use please let me know.

2 likes
jlrdw's avatar

@littles just my opinion, but I don't use any of this new stuff. I use Laravel, php or blade, regular css, regular javascript, and now axios js. Nothing more is needed.

But I have programmed for years and know how to do things like inplace editing in a table.

In fact I tried tailwind, but after viewing some videos it seems that every thing is inline, which makes an otherwise nice looking form look like old spaghetti code.

I instead usually just use class for regular css. But I know how to write my own media queries as well.

And yes it's safer to use external javascript files. Most CSP sites mention this.

Again just my thoughts on this.

Edit:

However I never got to the point of trying tailwind in classes.

2 likes

Please or to participate in this conversation.