Hello GoodData 👋 I was trying to set up stricter content security policy headers and found out that your code, or one of the npm packages you’re using is using

eval

. here’s the error with the stack trace:

chunk-Q3OU4L6H.js:67 Uncaught (in promise) EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline' 'self'.

    at Formatter.createFunction (chunk-Q3OU4L6H.js:67:534)
    at Object.numberFormat (chunk-Q3OU4L6H.js:92:540)
    at NNi (chunk-Q3OU4L6H.js:1910:47324)
    at Object.y9s [as getMeasureCellFormattedValue] (chunk-Q3OU4L6H.js:1910:47509)
    at TFs (chunk-Q3OU4L6H.js:1910:76675)
    at rWi (chunk-Q3OU4L6H.js:1910:76861)
    at chunk-Q3OU4L6H.js:1910:77761
    at Array.forEach (<anonymous>)
    at n (chunk-Q3OU4L6H.js:1910:77685)
    at qFs (chunk-Q3OU4L6H.js:1910:78003)

The offending line of code is:

return eval("(function() { return function(number, context){" + formatCode + "}; })()")

Is the use of eval necessary? Any chance this is fixed in sdk 9?

Hi Tomáš, I have good and bad news 🙂 Good news first, the SDK team is aware and working on this as we speak! The bad news being that it's not ready yet, and will still take a little bit of a time to arrive at a solution that works for everyone.