Unsafe eval csp error in tournament lib

We setup a self hosted N8N instance served behind a reverse proxy, as a security best practice we do not enable the unsafe-eval in the CSP headers. unfortunately looks like there is a lib which using

This is the line which causing it

Information on your n8n setup

  • **n8n version:1.25.0
  • **Database (default: SQLite):postgres
  • **n8n EXECUTIONS_PROCESS setting (default: own, main):own
  • **Running n8n via (Docker, npm, n8n cloud, desktop app):Docker
  • Operating system:

@Val according to this thread i found that you are a main contributor to the lib above. there is a chance you can assist with that?

Hello @mtubul

Thanks for reporting this.

Val has reached out to me and we’re investigating this issue.

We are aware of this condition in the code as it’s used by our expression engine to format incoming and outgoing data.

The data goes through some sanitation before it gets to this part of the code and at this time, there are no known vulnerabilities, but indeed it does prevent CSP.

We have plans on migrating this part of the code to a fully sandboxed environment but as you can imagine, this is not a trivial change.

I just wanted to post an update here to let you know that this did not go unnoticed, and unfortunately at this time CSP cannot be used with n8n.

1 Like

@krynble Thanks for your answer, in case there is any updates regarding the CSP i will be glad to be notify about that.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.