Crash "Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://www.apple.com https://appleid.cdn-apple.com "."

[efstathiosntonas]

Just received a crash on crashlytics that I believe it's related to this module (v.2.1.0)

This is the trace (device GCE x86 phone, Android 9)

Fatal Exception: java.lang.RuntimeException: java.lang.RuntimeException: Error in evaluationEvaluation: status: 13 value: {message=Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://www.apple.com https://appleid.cdn-apple.com ".
} hasMessage: true message: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://www.apple.com https://appleid.cdn-apple.com ".

       at androidx.test.espresso.web.sugar.Web$WebInteraction$ExceptionPropagator.<init>(Web.java:2)
       at androidx.test.espresso.web.sugar.Web$WebInteraction.doEval(Web.java:10)
       at androidx.test.espresso.web.sugar.Web$WebInteraction.perform(Web.java:1)
       at androidx.test.tools.crawler.platform.hybrid.HybridInteractionController.swipe(HybridInteractionController.java:15)
       at androidx.test.tools.crawler.platform.ActionExecutor.execute(ActionExecutor.java:33)
       at androidx.test.tools.crawler.platform.ActionExecutor.performAction(ActionExecutor.java:4)
       at androidx.test.tools.crawler.platform.RemotePlatform.handlePerformAction(RemotePlatform.java:22)
       at androidx.test.tools.crawler.platform.RemotePlatform.messageLoop(RemotePlatform.java:26)
       at androidx.test.tools.crawler.platform.RemotePlatform.lambda$startCrawlAndWaitUntilFinished$0$RemotePlatform(RemotePlatform.java:1)
       at androidx.test.tools.crawler.platform.RemotePlatform$$Lambda$0.run(:6)
       at java.lang.Thread.run(Thread.java:764)

Caused by java.lang.RuntimeException: Error in evaluationEvaluation: status: 13 value: {message=Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://www.apple.com https://appleid.cdn-apple.com ".
} hasMessage: true message: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://www.apple.com https://appleid.cdn-apple.com ".

       at androidx.test.espresso.web.model.SimpleAtom.handleBadEvaluation(SimpleAtom.java:1)
       at androidx.test.espresso.web.model.SimpleAtom.transform(SimpleAtom.java:2)
       at androidx.test.espresso.web.model.SimpleAtom.transform(SimpleAtom.java:3)
       at androidx.test.espresso.web.action.AtomAction$3.apply(AtomAction.java:1)
       at androidx.test.espresso.web.action.AtomAction$3.apply(AtomAction.java:2)
       at androidx.test.tools.crawler.obfuscated.bf.d.doTransform(AbstractTransformFuture.java:1)
       at androidx.test.tools.crawler.obfuscated.bf.d.doTransform(AbstractTransformFuture.java:2)
       at androidx.test.tools.crawler.obfuscated.bf.e.run(AbstractTransformFuture.java:9)
       at androidx.test.tools.crawler.obfuscated.bf.g.execute(DirectExecutor.java:1)
       at androidx.test.tools.crawler.obfuscated.bf.a.executeListener(AbstractFuture.java:1)
       at androidx.test.tools.crawler.obfuscated.bf.a.complete(AbstractFuture.java:10)
       at androidx.test.tools.crawler.obfuscated.bf.a.set(AbstractFuture.java:2)
       at androidx.test.tools.crawler.obfuscated.bf.aa.set(SettableFuture.java:1)
       at androidx.test.espresso.web.action.AtomAction$1.setResult(AtomAction.java:1)
       at androidx.test.espresso.web.action.AtomAction$2.run(AtomAction.java:1)
       at androidx.test.tools.crawler.obfuscated.bf.g.execute(DirectExecutor.java:1)
       at androidx.test.tools.crawler.obfuscated.bf.a.executeListener(AbstractFuture.java:1)
       at androidx.test.tools.crawler.obfuscated.bf.a.complete(AbstractFuture.java:10)
       at androidx.test.tools.crawler.obfuscated.bf.a.set(AbstractFuture.java:2)
       at androidx.test.tools.crawler.obfuscated.bf.d.setResult(AbstractTransformFuture.java:1)
       at androidx.test.tools.crawler.obfuscated.bf.e.run(AbstractTransformFuture.java:12)
       at androidx.test.tools.crawler.obfuscated.bf.g.execute(DirectExecutor.java:1)
       at androidx.test.tools.crawler.obfuscated.bf.a.executeListener(AbstractFuture.java:1)
       at androidx.test.tools.crawler.obfuscated.bf.a.complete(AbstractFuture.java:10)
       at androidx.test.tools.crawler.obfuscated.bf.a.set(AbstractFuture.java:2)
       at androidx.test.espresso.web.action.JavascriptEvaluation$ValueCallbackFuture.onReceiveValue(JavascriptEvaluation.java:1)
       at com.android.webview.chromium.p.onResult(:2)
       at org.chromium.android_webview.AwContents.lambda$evaluateJavaScript$8$AwContents(AwContents.java:933)
       at org.chromium.android_webview.AwContents$$Lambda$12.run(:4)
       at android.os.Handler.handleCallback(Handler.java:873)
       at android.os.Handler.dispatchMessage(Handler.java:99)
       at android.os.Looper.loop(Looper.java:193)
       at android.app.ActivityThread.main(ActivityThread.java:6669)
       at java.lang.reflect.Method.invoke(Method.java)
       at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)
       at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:858)

[mikehardy]

Stacks like this:

at androidx.test.espresso.web.sugar.Web$WebInteraction$ExceptionPropagator.<init>(Web.java:2)
       at androidx.test.espresso.web.sugar.Web$WebInteraction.doEval(Web.java:10)
       at androidx.test.espresso.web.sugar.Web$WebInteraction.perform(Web.java:1)
       at androidx.test.tools.crawler.platform.hybrid.HybridInteractionController.swipe(HybridInteractionController.java:15)
       at androidx.test.tools.crawler.platform.ActionExecutor.execute(ActionExecutor.java:33)
       at androidx.test.tools.crawler.platform.ActionExecutor.performAction(ActionExecutor.java:4)
       at androidx.test.tools.crawler.platform.RemotePlatform.handlePerformAction(RemotePlatform.java:22)
       at androidx.test.tools.crawler.platform.RemotePlatform.messageLoop(RemotePlatform.java:26)
       at androidx.test.tools.crawler.platform.RemotePlatform.lambda$startCrawlAndWaitUntilFinished$0$RemotePlatform(RemotePlatform.java:1)
       at androidx.test.tools.crawler.platform.RemotePlatform$$Lambda$0.run(:6)

are usually the firebase test lab automatically crawling your app (literally just touching everywhere like an uneducated monkey) on every app release published in the Google Play Store unless you opt out.

What's cool though is that they also post logcat and video etc. so you can see it and get more details

I don't see a single stack frame in your crash trace that points to this module though, so without more detail (and ideally a minimal reproducible example https://stackoverflow.com/help/minimal-reproducible-example) I'm going to close this as "no evidence it was this module"

[booleanbetrayal]

We are seeing something similar coming from our app's Cordova implementation (using cordova-sign-in-with-apple). It is only affecting certain device types but they all explode with a CSP failure that seems to be stemming from Apple's OAuth flow content.

[mikehardy]

This may be another use case (for our module) of replacing android auth with a WebView-based auth like #166 - @booleanbetrayal not sure how to map the idea of react-native-webview on to cordova but surely there is a webview wrapper, and if so that approach may work for you as well. PR #166 has sat for a while here but it is a lack of review + merge time, not a quality issue I don't think, the approach seems great.

[ToyboxZach]

Super late to the party here, but we just got this error:

They shared this video to show how they got it. Essentially they click around enough and they get to a point that the webview crashes.

Not sure how actionable it is

video.mp4

[mikehardy]

Interesting - that looks like the test monkey (I say that nicely, I think it is their actual name!) that play store runs automated against new app submissions? Had that look to it. Not sure what we can do about that other than perhaps #166 which is still languishing unfortunately

[Firsto]

Got same error in Crashlytics. How can we avoid it?

[mikehardy]

Use this API from react-native-firebase https://rnfirebase.io/app/utils#test-lab
Disable sign in with apple in the test lab, I suppose

[HardikKotadiya16]

Get the same error in the Android application when loading URL in webview. So, how can I avoid it?

[mikehardy]

@HardikKotadiya16 probably by taking note of the comment thread here and trying the strategy just above your comment?

[SERCHAT]

I 'am getting the same error on android 10 Samsung S20 5G devices. Any solution ?

[mikehardy]

@SERCHAT I don't see one posted. Happy to merge any PR that seems reasonable / is backed by experimental evidence that it isolates the problem and fixes it