CSP 'unsafe-eval' since last evening


I’m a power-up developer and since last evening i started receiving many reports of my power-up not working anymore. After investigating, i found that the power-up SDK (https://p.trellocdn.com/power-up.min.js) makes use of unsafe eval().

Little over a year ago we was forced to introduce new CSP headers that prohibits this.

For now, I’ve just whitelisted the unsafe-eval flag for the trello cdn domain and everything appears to be working again.

But why wasn’t we made aware of this change? I’m getting flooded by emails of people using the power-up that it’s no longer working. I continue to get these messages since my caching is a bit harder. So some people already have the cached non-working version stored. Which will continue to be used for the coming weeks.


Hi @DannieHansen ,

Thanks for reporting this. I’ll contact the Trello team to take a look.


1 Like

Here is the incident that caused this: Trello Status - Power-Ups not loading


Thank you @dmorrow & @bentley for the swift fix :+1:

And just want to acknowledge that this incident was raised only on https://trello.status.atlassian.com/ and not https://developer.status.atlassian.com/ because there wasn’t an obvious place for it to be included in the latter. I would hope that in the future, we onboard Trello onto the Atlassian Developer Statuspage, but that isn’t the current state of the world.

And it also didn’t make sense, IMHO, to put it in the API section of the Trello Statuspage since it was a power-up.js issue and we tend to use API to to refer specifically to the Trello REST API.

Thank you for resolving this so quickly. Is there anything we can do as a powerup developer community to help prevent this type of incident in the future? It had a massive impact on my userbase and I would love to find a way to reduce the likelihood of this type of issue.



This isn’t a preventative measure, but I’d encourage you to open an incident in the event that this level of breakage occurs again: Jira Service Management

We do roll out these changes to staging: https://p-staging.trellocdn.com/power-up.min.js

A bad thing to do would be to cache some versions on your own… But then you could end up causing problems because there was a breaking change that actually required the updated power-up.js.

I’m giving this a think with @Jireh to explore more on how we can communicate changes to power-up.js and better manage the rollout.

I think one of the issues that made it more difficult for my users was the cache settings for the powerup code didn’t cause it to update after the fix was deployed. Perhaps a simple improvement would be different cache settings that would detect code updates more quickly.

Hey @bentley, hope all is well!
Just wanted to add that we’re also keen to hear about any updates on how Trello will communicate changes to app developers. We also had to run an incident on the 28th Feb to communicate with users, and handle multiple support tickets, because 5 of our Power-Ups were unavailable. Luckily it was a quick fix but we’d like to be proactive on these rather than reactive.
Thanks, Dan