Content-Security-Policy: script-src: 'unsafe-eval'
should not be required by tracker-assist
#1934
Labels
bug
Something isn't working
Describe the issue
A dependency, cbor-x, triggers CSP errors due to its requirement for
unsafe-eval
. This is observed in the dependency's code, leading to reports on our CSP report URL. A potential workaround usingdecode-no-eval
andindex-no-eval
exports has been identified, but it's unclear if this would impact performance.The issue is upstream, in
peerjs
, which declares cbor-x, as highlighted in a related issue I opened on their repository.Steps to reproduce the issue
unsafe-eval
in the console or CSP report URL.Expected behavior
The tracker should not trigger CSP errors or require
unsafe-eval
in its dependencies, ensuring compatibility with strict CSP environments.Screenshots
Additional context
decode-no-eval
andindex-no-eval
. See: https://github.com/kriszyp/cbor-x/blob/0b5e8807622619c6a7a062f7e771478ecfd52f83/package.json#L58-L59 - also relevant: fix: no-eval import types kriszyp/cbor-x#102script-src: unsafe-eval
peers/peerjs#1247The text was updated successfully, but these errors were encountered: