Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Package doesn't work with Content Security Policy unsafe-eval #45

Open
taras opened this issue Jan 10, 2022 · 6 comments · May be fixed by #46
Open

Package doesn't work with Content Security Policy unsafe-eval #45

taras opened this issue Jan 10, 2022 · 6 comments · May be fixed by #46

Comments

@taras
Copy link

taras commented Jan 10, 2022

NetlifyCMS uses this package as a dependency. This package includes an eval function that is not permitted with CSP 'unsafe-eval' which prevents NetlifyCMS from working in secure environments.

decaporg/decap-cms#4367 (comment)

Please, let me know if you're open to removing the eval - I can submit a PR.
This was referenced Jan 10, 2022
Open
Open
@glauberramos
Copy link

Hi, any update on this? Can we merge the PR?

@taras
Copy link
Author

taras commented Jun 10, 2022

I believe so. I don't remember. It's been so long :)

@iarna
Copy link
Owner

iarna commented Aug 3, 2022
edited

(I've been away from Github for a while for medical reasons, I'm not really back per se, but today's a good day.)

So the actual eval is safe, but you have rules that improperly flag it as unsafe? Am I understanding that correctly? I can't say I'm keen on "delete it and move on" as a solution...

Edit: Ah, I see, so this is in fact for bundled versions running inside browsers... Let's see if we can find a better solution than just deleting a feature that's quite useful server-side.

@WebReflection
Copy link

@iarna

So the actual eval is safe

accordingly to CSP eval is never safe and this is blocking our project to adopt this otherwise wonderful module ... no eval, Function, or any variant of these is possible under CSP rules that don't allow eval, and coming from a CDN this is also a foreign module so even more relevant as considered "not safe".

CSP doesn't care if you just eval("1 + 2"), it cares that no code evaluation ever happens at runtime.

Please consider using typeof require and then require?.(...) within that try/catch as eval is not strictly needed in the first place, "env detection" would do a way better job without bothering the safety of the module, thank you!

@WebReflection WebReflection mentioned this issue Sep 14, 2023
Closed
@WebReflection
Copy link

WebReflection commented Sep 14, 2023
edited

@iarna I can file a clean PR if needed, just let me know, thanks!

edit although I really don't understand this comment:

/* eval require not available in transpiled bundle */

I am not sure what you mean but transpilers make that eval happens: see https://cdn.jsdelivr.net/npm/@iarna/toml/parse-string/+esm

@WebReflection
Copy link

@iarna I don't see much activity in this repo ... are you OK for a fork? Happy to push back in here changes I might make to this, but I ma focusing mostly on web compat so any require will be removed from the codebase if any eval is needed, yet the rest would remain, as require('util').inspect imho shouldn't be ever needed in the first place, when we have better tools and ways these days to debug issues ... would that work?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: remove eval to allow execution without unsafe-eval CSP taras/iarna-toml
4 participants
@taras @WebReflection @glauberramos @iarna