We’re currently trying to integrate the payment provider Steady – People-Powered Media into our discourse site. Unfortunately, I don’t get their javascript code past our content security policy. I whitelisted every domain I could find in the code, but still get this in the developer console:
This is the incriminated code piece:
https://steadycdn.com/prod/js/1.14.2.js
Does anyone know how to fix this? Thanks!
Why do you think this is a CSP error?
(If it was, the code wouldn’t even run, and it is, because it throws an error).
Everything works as expected, when I deactivate the content security policy, so this was the best guess I could come up with. 
Thanks for the hint! Do you have a tip on how to solve this?
I think the script you’re trying to integrate uses eval() which is blocked by default (the reason is explained in the link above) so you need to add
'unsafe-eval'
to your CSP setting if you want that to work.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.