Foundation 6.5.1 Breaks Content Security Policy

I am currently using 6.2.3 for our site, as was looking to upgrade to 6.5.1 (at least) in order to use the enhanced off-canvas function. However, we have a very strict Content Security Policy in place for our site that does not allow any javascript “eval” functions as these can be a major source of attack by rogue scripts. This is working fine with 6.2.3, but 6.5.1 has 12 instances of “eval” in foundation.js, causing the page to fail for the violation of the CSP. Can these evals be safely removed from the js file, or am I unable to upgrade to a newer version of Foundation for Sites?

I guess you mean the file that is generated by our build setup? This is done by webpack. Not sure if this is possible.

Also see https://github.com/webpack/webpack/issues/6461, https://github.com/webpack/webpack/issues/4899 and https://github.com/webpack/webpack/issues/5627

This seems to be a bit more work to investigate and solve this.

I am not using anything to generate this file, it was downloaded from Foundation using the CSS option, which is the way I’ve been using Foundation since version 4. If you have a version of 6.5.1 or 6.6.1 with just a pure js file without any evals, or can give me step-by-step instructions on how to generate my own, I can continue working as I have for years. A while ago, I used Foundation for Emails to produce our firm’s email newsletter, but a change in MailChimp’s pricing structure caused me to discontinue generating a custom newsletter, so I haven’t used to it for months. I was hoping to avoid having to download and install everything to automate the use of Foundation for our simple 32-page website that changes maybe once per month.

It is working fine in my windows 8 pc. I successfully installed the upgrade. Now I am using 6.5.1 but recently I am facing an issue error 0x80248007 whenever I go for windows update.

Our bundles are generated / built with webpack. You can see that on GitHub.

Well, I fear we have no other bundle. You can either create your own by using require to load the source files and rebuild with webpack or any other bundler or adjust the webpack config.

Maybe one of the other bundles might be ok: https://github.com/foundation/foundation-sites/blob/84a0a337adeab7a2706a673d8694fc6adc2a15d1/dist/js/

OK, I was able to get the 6.6.1 versions of foundation.css and
foundation.min.js from your link and no longer get the content security
violation. Now I just have to change all my code to match the changes
required going from 6.2 to 6.6 for the functions I am using.

There are still links on the Foundation for Sites docs that seem to
provide for downloading the files, but I get 404 errors when trying them
(e.g., on https://get.foundation/sites.html). Is there no plan to make
that method available anymore?

Thanks for your help.

See New website feedback.

This is also the right thread regarding the new website / docs.