Implementing CSP (Content Security Policy) with Vue's Runtime Compiler
Updated May 4, 2026
Short answer
To maintain a strict CSP, you must use the pre-compiled version of Vue and avoid 'unsafe-eval'.
Deep explanation
The Vue runtime compiler (which turns strings into render functions) uses new Function(), which is blocked by strict CSP policies. Architecturally, you must ensure that all templates are compiled at build-time using vue-loader or @vitejs/plugin-vue. If you must use dynamic templates from a database, you need to implement a 'trusted-types' policy or a back-end pre-compilation step.
Unlock with a Pro subscription to view this section.
View pricingReal-world example
No real-world example available yet.
Unlock with a Pro subscription to view this section.
Upgrade to ProCommon mistakes
No common mistakes listed yet.
Unlock with a Pro subscription to view this section.
Upgrade to ProFollow-up questions
No follow-up questions available yet.
Unlock with a Pro subscription to view this section.
Upgrade to Pro