Hi,

We have a strict CSP on our website that doesn't allow for eval calls. Somewhere in your code it must be doing just that: Without 'unsafe-eval' in the script-src section of the Content-Security-Policy header below code flags a valid number like +32477112233 as invalid. When you add 'unsafe-eval' it flags it as valid. I had a quick look through the code but can't immediately see calls that trigger eval.

Any idea where this would be ?

Steps to reproduce

<script src="https://code.jquery.com/jquery-1.12.4.min.js"></script> <script type="text/javascript" src="/js/intltelinput/intlTelInput.min.js"></script> <script> $("#phone").intlTelInput({ utilsScript: "/js/intltelinput/utils.js" }); $("#phone").bind('blur',function(){ if ($("#phone").intlTelInput("isValidNumber")) { alert('yay'); } else { alert('boo'); } }); </script>

Now enter +32477112233 and blur

Expected behaviour

alert(Yay)

Actual behaviour

alert(Boo)

And in Firefox console:
Content Security Policy: The page’s settings blocked the loading of a resource at self