Livewire and unsafe-eval

[incoming-th]

Hi,

Livewire requires unsafe-eval to be set to true, which is something that will never happen due to security concerns.

Using the nonce is working when the page is loaded

@livewireScripts(['nonce' => csp_nonce('script')])

But then throws an error from Alpine:

Alpine Expression Error: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'nonce-MDA4ZDlhZjZhOTUxYmZkMg=='

I understand this is not an issue related to bepsvpt/secure-headers and already added my comment here livewire/livewire#6113 , but just in case if anyone ran into this problem and found a workaround.

[FabienArr]

Hello,

Did you find a solution ?

Regards

[incoming-th]

Hey,

No solution at all and issue on git above still open. Due to the nature of Livewire and Alpine, I don't even think it's possible to fix it.

Again, this is not a problem with this repo, but should be a known conflict maybe.

[FabienArr]

Yes it's a problem of Livewire and Alpine JS. DO you known if there is an alternative to livewire/AlpineJS and Jetstream compatible with CSP and out problem ?

[incoming-th]

Unless refactor the whole UI with Vue (or worse react) I did not find any alternative, but if I do I will post here and in the open issue on Livewire.

[FabienArr]

Ok thanks