(Security) CSP: unsafe-eval

[devonik]

There is an issue with some csp policies. eval is unsafe and may produce security problems.

Allows the use of eval() and similar methods for creating code from strings. You must include the single quotes.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
https://stackoverflow.com/questions/37155270/content-security-policy-csp-safe-usage-of-unsafe-eval

Code where problem occurs

Could someone fix this?

[jarvelov]

Hi,

Thanks for reporting this. It looks like this is caused by Ajv, a dependency to VFJS. In an issue on Ajv's Github [the author of Ajv notices that it is a known issue and suggest that one should pre-compile the Ajv schema], however I do not know if it is possible to make use of pre-compiled schemas with VFJS. It might work without any issues, I haven't tried it.

I'll have to look into it, however it might take a few months until I have time to dig deeper. If this is a critical issue I would recommend looking into other libraries, however I'll keep this issue open and if there are other people facing the same issue I will look into it sooner. If someone wants to submit a PR I very much welcome it.

[vesper8]

Also ran into this today.. worked ok on Android without adding unsafe-eval but on IOS it caused an issue.. so I had to add 'unsafe-eval' to my CSP but wasn't super happy about having to do that

Specially since I don't even use the validation capability of this library at the moment and this issue seems related to validation