-
Notifications
You must be signed in to change notification settings - Fork 419
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a non-Eval alternative for Content Security Policy compatibility #628
Comments
This does not look like an issue with pegjs. |
I can reproduce this on the http and https protocols. It's all about security policy. If the code uses the eval function, then it will not be executed, the browser will block its execution |
Your link is for http headers. You are in control of whatever headers you send on your server. |
Yes, this header is related to security, but which application in 2020 will not think about security. It's quite a common practice to use this approach in a modern web application. |
Pegjs is a parser generator, it is a bit of a separate breed of JS libs, |
See: acornjs/acorn#90 |
I dont think that is a good solution for a parser generator. Performance is pretty important here after all. |
I'm missing context in this issue. Can anybody finger-point at piece of relevant code? |
I think it's worth adding a non- |
Probably don't make it webpack only. This problem isn't webpack specific, and webpack is rapidly on the decline, in favor of rollup and parcel |
Honestly, there's no particular reason to leave |
This should not be flagged |
Dears, is there some solution looming? I now hit this problem hard with using peg.js for Chrome Extension development: Manifest V3 does not allow unsafe-eval any more... |
Thanks for your prompt and forthcoming answer, @hildjj! I did not know about this successor. Unfortunately, it is still an issue there, I will create a ticket there. |
Refactoring: remove "eval" from library
Prerequisites
Description
Steps to Reproduce
1.Server set header: Content-Security-Policy: default-src https:
2. Load vendor.js to the client
3. Trying to .parse() with pegjs:
Error(chrome dev tools): Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-NALaJ5yL9XVYFNSX8jAdayjJGG7VDRjzVeu1AYf0Kx0='), or a nonce ('nonce-...') is required to enable inline execution.
Software
The text was updated successfully, but these errors were encountered: