Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsafe eval in function constructor #35

Closed
anthony-arnold opened this issue Aug 19, 2020 · 2 comments
Closed

Unsafe eval in function constructor #35

anthony-arnold opened this issue Aug 19, 2020 · 2 comments
Assignees
@jeanlescure
Labels
wip Work in Progress

Comments

@anthony-arnold
Copy link

The ShortUniqueId constructor contains some eval code.

Inheriting from Function and calling it's constructor violates strict Content-Security-Policy. The only way to use this library with CSP is to set script-src: 'unsafe-eval' which make CSP kind of useless.

Is there a way to remove this eval code without introducing a regression?
@jeanlescure
Copy link
Collaborator

Hi @anthony-arnold , thanks for the report!

I think the Proxy object might be our best bet here to refactor that eval out of our code base.

I'll create a branch and test this out, only regression concern (off the top of my head) might be browser support.

I'll keep this issue updated as progress is done 👍

@jeanlescure jeanlescure self-assigned this Aug 19, 2020
@jeanlescure jeanlescure added the wip Work in Progress label Aug 19, 2020
jeanlescure added a commit that referenced this issue Oct 16, 2020
@jeanlescure
fix: unsafe eval in function constructor #35
00b3de6
@jeanlescure jeanlescure mentioned this issue Oct 16, 2020
Merged
@jeanlescure
Copy link
Collaborator

Hi @anthony-arnold, thanks for waiting this long, last night v3.0.5 was released, it should do away with the CSP warning you were getting and introduces no regression.

Cheers 🍻

@middiu middiu mentioned this issue Jun 1, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jeanlescure jeanlescure

Labels
wip Work in Progress
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@anthony-arnold @jeanlescure