Is your library CSP friendly? (not using any unsafe eval expression)?

[yvele]

When making a browser application, most of us are dealing with strict CSP (Content-Security-Policy) that disallow making use of unsafe-eval expressions.

I'm trying to switch from protobufjs to another library that is CSP friendly.
I can't see anything CSP related in your documentation. Can you please add a CSP paragraph where you explain that the library make uses (or NOT🤞 ) of unsafe-eval expression? And what CSP are required?

See also CSP issues that developers have with protobuf.js:

• @protobufjs/inquire violates default content security policy protobufjs/protobuf.js#997
• content security policy protobufjs/protobuf.js#1483
• uses unsafe-eval protobufjs/protobuf.js#593
• Refactor Inquire so it can resolve modules in Browsers with default CPS protobufjs/protobuf.js#1548

[mourner]

There should be no CSP issues with pbf — it doesn't use any code generation techniques that would need eval-like expressions. No special CSP rules are required to use it.

[yvele]

Thank you so much @mourner this is really reassuring, I will give pbf a try.
What about adding a little CSP paragraph in the doc about that? Because many people are struggling with CSP and seing that being CSP friendly is part of the library fundamental is a big plus 👍

[yvele]

Thank you @mourner I'm using pbf and it works like a charm with strict CSP.
Awesome lightweight low level library 👏

[aberrier]

Hello @yvele, I followed your comments on Github as I've came across the same issue of using protobufjs with CSP constraints.
Thank you for your feedback on pbf that will clearly makes me and any future developers win precious time on finding CSP-friendly alternatives to protobufjs ! 🚀