-
Notifications
You must be signed in to change notification settings - Fork 485
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Content-Security-Policy: script-src: 'unsafe-eval'
should not be required by tracker-assist
#1934
Labels
bug
Something isn't working
Comments
Workaround: I'm currently using this patch with yarn "berry"'s patch: protocol on diff --git a/decode.js b/decode.js
index d65b12b290d3a80fcfb37ac40098ac2a7e4b0319..66ac8fff0051e2d30c4a00b047ae8242a6f3ca26 100644
--- a/decode.js
+++ b/decode.js
@@ -36,12 +36,9 @@ let sequentialMode = false
let inlineObjectReadThreshold = 2;
var BlockedFunction // we use search and replace to change the next call to BlockedFunction to avoid CSP issues for
// no-eval build
-try {
- new Function('')
-} catch(error) {
- // if eval variants are not supported, do not create inline object readers ever
- inlineObjectReadThreshold = Infinity
-}
+// if eval variants are not supported, do not create inline object readers ever
+inlineObjectReadThreshold = Infinity
+
diff --git a/dist/index.js b/dist/index.js
index 37d87c97a292617d86028298a80c2dfeba2d0a80..cf0a8455b086c26d986fc017f7021de8ab0d4256 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -36,12 +36,10 @@
let sequentialMode = false;
let inlineObjectReadThreshold = 2;
// no-eval build
- try {
- new Function('');
- } catch(error) {
- // if eval variants are not supported, do not create inline object readers ever
- inlineObjectReadThreshold = Infinity;
- }
+
+ // if eval variants are not supported, do not create inline object readers ever
+ inlineObjectReadThreshold = Infinity;
+
diff --git a/dist/node.cjs b/dist/node.cjs
index 39d643eff4a11c89da6ab39fd495a16f96201522..3ecacd7177a4ca5855ff0852bd597aa939c3c3f1 100644
--- a/dist/node.cjs
+++ b/dist/node.cjs
@@ -38,12 +38,9 @@ let defaultOptions = {
let sequentialMode = false;
let inlineObjectReadThreshold = 2;
// no-eval build
-try {
- new Function('');
-} catch(error) {
- // if eval variants are not supported, do not create inline object readers ever
- inlineObjectReadThreshold = Infinity;
-}
+
+// if eval variants are not supported, do not create inline object readers ever
+inlineObjectReadThreshold = Infinity; |
waiting for peers/peerjs#1247 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the issue
A dependency, cbor-x, triggers CSP errors due to its requirement for
unsafe-eval
. This is observed in the dependency's code, leading to reports on our CSP report URL. A potential workaround usingdecode-no-eval
andindex-no-eval
exports has been identified, but it's unclear if this would impact performance.The issue is upstream, in
peerjs
, which declares cbor-x, as highlighted in a related issue I opened on their repository.Steps to reproduce the issue
unsafe-eval
in the console or CSP report URL.Expected behavior
The tracker should not trigger CSP errors or require
unsafe-eval
in its dependencies, ensuring compatibility with strict CSP environments.Screenshots
Additional context
decode-no-eval
andindex-no-eval
. See: https://github.com/kriszyp/cbor-x/blob/0b5e8807622619c6a7a062f7e771478ecfd52f83/package.json#L58-L59 - also relevant: fix: no-eval import types kriszyp/cbor-x#102script-src: unsafe-eval
peers/peerjs#1247The text was updated successfully, but these errors were encountered: