Content Security Policy (CSP) blocking due to "unsafe-eval"

[richardbullin]

When CSP is configured to help mitigate against XSS attacks, trying to take the definitive integral can cause script to be blocked.

The below example uses version 1.1.11 (1.1.12 not available?) this generates an incorrect answer (expect 1.148)

The below example uses version 1.1.13 (dev version) which generates the correct answer but causes CSP block.

I tracked it down to the 'build' function within 'nerdamer.core.js' around line 11882 where "new Function(args, ....." is called.

I'm guessing it only gets to this part if it can't determine the result? Is there any way to re-write this without calling "new Function"? Allowing 'unsafe-eval' is not an option as this defeats the whole purpose of CSP.

Cheers