Content-Security-Policy: script-src: 'unsafe-eval' should not be required by tracker-assist

[andreialecu]

Describe the issue
A dependency, cbor-x, triggers CSP errors due to its requirement for unsafe-eval. This is observed in the dependency's code, leading to reports on our CSP report URL. A potential workaround using decode-no-eval and index-no-eval exports has been identified, but it's unclear if this would impact performance.

The issue is upstream, in peerjs, which declares cbor-x, as highlighted in a related issue I opened on their repository.

Steps to reproduce the issue

1. Implement @openreplay/tracker-assist in a project with strict CSP rules.
2. Observe CSP errors related to unsafe-eval in the console or CSP report URL.
3. Refer to the cbor-x code section that causes this issue: https://github.com/kriszyp/cbor-x/blob/0b5e8807622619c6a7a062f7e771478ecfd52f83/decode.js#L37-L44

Expected behavior
The tracker should not trigger CSP errors or require unsafe-eval in its dependencies, ensuring compatibility with strict CSP environments.

Screenshots

Additional context

• Relevant code snippet from cbor-x causing the issue: https://github.com/kriszyp/cbor-x/blob/0b5e8807622619c6a7a062f7e771478ecfd52f83/decode.js#L37-L44
• A workaround would be to use decode-no-eval and index-no-eval. See: https://github.com/kriszyp/cbor-x/blob/0b5e8807622619c6a7a062f7e771478ecfd52f83/package.json#L58-L59 - also relevant: fix: no-eval import types kriszyp/cbor-x#102
• Related issue opened on the peerjs repository: peerjs needs Content-Security-Policy script-src: unsafe-eval peers/peerjs#1247
• CSP reports cannot be filtered by user code: Prevent CSP reports being sent if I handle the SecurityPolicyViolation event. w3c/webappsec-csp#255

[andreialecu]

Workaround:

I'm currently using this patch with yarn "berry"'s patch: protocol on cbor-x. patch-package should work similarly.

diff --git a/decode.js b/decode.js
index d65b12b290d3a80fcfb37ac40098ac2a7e4b0319..66ac8fff0051e2d30c4a00b047ae8242a6f3ca26 100644
--- a/decode.js
+++ b/decode.js
@@ -36,12 +36,9 @@ let sequentialMode = false
 let inlineObjectReadThreshold = 2;
 var BlockedFunction // we use search and replace to change the next call to BlockedFunction to avoid CSP issues for
 // no-eval build
-try {
-	new Function('')
-} catch(error) {
-	// if eval variants are not supported, do not create inline object readers ever
-	inlineObjectReadThreshold = Infinity
-}
+// if eval variants are not supported, do not create inline object readers ever
+inlineObjectReadThreshold = Infinity
+
 
 
 
diff --git a/dist/index.js b/dist/index.js
index 37d87c97a292617d86028298a80c2dfeba2d0a80..cf0a8455b086c26d986fc017f7021de8ab0d4256 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -36,12 +36,10 @@
 	let sequentialMode = false;
 	let inlineObjectReadThreshold = 2;
 	// no-eval build
-	try {
-		new Function('');
-	} catch(error) {
-		// if eval variants are not supported, do not create inline object readers ever
-		inlineObjectReadThreshold = Infinity;
-	}
+
+	// if eval variants are not supported, do not create inline object readers ever
+	inlineObjectReadThreshold = Infinity;
+
 
 
 
diff --git a/dist/node.cjs b/dist/node.cjs
index 39d643eff4a11c89da6ab39fd495a16f96201522..3ecacd7177a4ca5855ff0852bd597aa939c3c3f1 100644
--- a/dist/node.cjs
+++ b/dist/node.cjs
@@ -38,12 +38,9 @@ let defaultOptions = {
 let sequentialMode = false;
 let inlineObjectReadThreshold = 2;
 // no-eval build
-try {
-	new Function('');
-} catch(error) {
-	// if eval variants are not supported, do not create inline object readers ever
-	inlineObjectReadThreshold = Infinity;
-}
+
+// if eval variants are not supported, do not create inline object readers ever
+inlineObjectReadThreshold = Infinity;

[nick-delirium]

waiting for peers/peerjs#1247