Description
Bug report
Our project (https://github.com/DestinyItemManager/DIM) includes our Content-Security-Policy header in the dev server, to allow us to catch CSP problems while developing locally. Prior to webpack-dev-server v5.0.0, this worked fine without the 'unsafe-eval' script-src permission, but now it requires it. (Note: We also have client: { overlay: false } set).
Actual Behavior
Our JS fails to load because our CSP header does not include 'unsafe-eval':
index.js:1414 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://*.googletagmanager.com https://*.google-analytics.com https://opencollective.com".
at new Function (<anonymous>)
at SyncBailHookCodeFactory.create (index.js:1414:1)
at Hook.COMPILE [as compile] (index.js:2377:1)
at Hook._createCall (index.js:1108:1)
at Hook.CALL_DELEGATE (index.js:1068:1)
at WebpackLogger.<anonymous> (index.js:3513:1)
at WebpackLogger.info (index.js:3067:1)
at logEnabledFeatures (log.js:33:1)
at ./node_modules/.pnpm/webpack-dev-server@5.0.0_quill-delta@5.1.0_rxjs@7.8.1_tslib@2.6.2_webpack-cli@5.1.4_webpack@5.90.1/node_modules/webpack-dev-server/client/index.js?protocol=wss%3A&hostname=localhost&port=8080&pathname=%2Fws&logging=info&overlay=false&reconnect=10&hot=only&live-reload=false (index.js:131:19)
at options.factory (react refresh:6:1)
Expected Behavior
At least with the overlay disabled, webpack-dev-server shouldn't rely on 'unsafe-eval', however it managed to do so before.
How Do We Reproduce?
Our Webpack config is here:
https://github.com/DestinyItemManager/DIM/blob/master/config/webpack.ts#L112-L152
I'd suggest a minimal repro would be a project with client: { overlay: false } that customizes the dev server headers to include 'Content-Security-Policy': "default-src 'self'".
Please paste the results of npx webpack-cli info here, and mention other relevant information
System:
OS: macOS 14.0
CPU: (10) arm64 Apple M1 Max
Memory: 130.56 MB / 64.00 GB
Binaries:
Node: 21.4.0 - /opt/homebrew/bin/node
npm: 10.2.4 - /opt/homebrew/bin/npm
Browsers:
Chrome: 121.0.6167.160
Safari: 17.0
Packages:
babel-loader: ^9.1.3 => 9.1.3
clean-webpack-plugin: ^4.0.0 => 4.0.0
compression-webpack-plugin: ^11.0.0 => 11.0.0
copy-webpack-plugin: ^12.0.2 => 12.0.2
css-loader: ^6.10.0 => 6.10.0
css-modules-typescript-loader: ^4.0.1 => 4.0.1
fork-ts-checker-notifier-webpack-plugin: ^5.0.0 => 5.0.0
fork-ts-checker-webpack-plugin: ^6.0.1 => 6.5.3
generate-json-webpack-plugin: ^2.0.0 => 2.0.0
html-loader: ^5.0.0 => 5.0.0
html-webpack-plugin: ^5.6.0 => 5.6.0
lodash-webpack-plugin: ^0.11.6 => 0.11.6
markdown-loader: ^8.0.0 => 8.0.0
postcss-assets-webpack-plugin: ^4.1.2 => 4.1.2
postcss-loader: ^8.1.0 => 8.1.0
sass-loader: ^14.1.0 => 14.1.0
source-map-loader: ^5.0.0 => 5.0.0
style-loader: ^3.3.4 => 3.3.4
svgo-loader: ^4.0.0 => 4.0.0
terser-webpack-plugin: ^5.3.10 => 5.3.10
ts-loader: ^9.5.1 => 9.5.1
tsconfig-paths-webpack-plugin: ^4.1.0 => 4.1.0
webpack: ^5.90.1 => 5.90.1
webpack-cli: ^5.1.4 => 5.1.4
webpack-dev-server: ^5.0.0 => 5.0.0
webpack-notifier: ^1.15.0 => 1.15.0
webpack-stats-plugin: ^1.1.3 => 1.1.3
workbox-webpack-plugin: 7.0.0 => 7.0.0