If you suddenly cannot add a featured image, upload files to the Media Library, or select images in Advanced Custom Fields — and you see a JavaScript error in the browser console — the culprit is very likely a misconfigured Content Security Policy (CSP).
Problem: Clicking "Set Featured Image" in the WordPress admin opens the media library but images cannot be selected — the browser console shows a Content Security Policy error mentioning unsafe-eval.
Solution: Identify which CSP directive is blocking the media library script — the most common sources are a security plugin, a CDN configuration, or a server-level Content-Security-Policy header. Add 'unsafe-eval' to the script-src directive for the admin domain in whichever source is setting the restrictive policy.
Open the browser console (F12 → Console). If the error looks similar to this, you are in the right place:
Uncaught EvalError: Refused to evaluate a string as JavaScript because
'unsafe-eval' is not an allowed source of script in the following
Content Security Policy directive: "default-src 'self' 'unsafe-inline' data …"The WordPress media uploader relies on eval() internally (via Plupload and the media modal scripts), so a CSP that blocks unsafe-eval will prevent it from functioning.
To confirm that a CSP header is being set, you can use the securityheaders.com scanner, or simply inspect the response headers in the browser's Network tab.
Next, track down where the CSP is being applied. The most common sources are:
1. Your .htaccess file — search for a Header set Content-Security-Policy line.
2. A security plugin (for example, a plugin that adds custom HTTP headers). Check its settings panel and also scan your theme files (header.php, functions.php) for header() calls that output a CSP.
3. Server-level configuration set by your hosting provider — less common, but worth ruling out by opening a support ticket if the other sources come up clean.
Once you have found the source, either add 'unsafe-eval' to the script-src directive or, if you set the policy yourself, consider switching to a nonce-based approach for better long-term security.
NOTE: Adding unsafe-eval relaxes your CSP. If you did not intentionally set a Content Security Policy, remove the header entirely or audit which plugin or configuration added it, rather than simply appending permissions you may not need.