Content security policy - script-src: unsafe-eval

Question

Content security policy - script-src: unsafe-eval

AlejandroE opened this issue 2 years ago · 1 comments

Using the npm package in a web project with unsafe-eval disabled at CSP level errors with:

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' 
is not an allowed source of script in the following 
Content Security Policy directive: "script-src 'self' cdn.xxxxx.com".
    at new Function (<anonymous>)
    at tearOffGetter (internalAdmin.js:97912)
    at tearOff (internalAdmin.js:97914)
    at installTearOff (internalAdmin.js:97926)
    at installInstanceTearOff (internalAdmin.js:97928)
    at internalAdmin.js:97936
    at installTearOffs (internalAdmin.js:107733)
    at dartProgram (internalAdmin.js:107792)
    at Object.<anonymous> (internalAdmin.js:108537)
    at Object../node_modules/gltf-validator/gltf_validator.dart.js (internalAdmin.js:108538)

The dart compiler comes with a flag disabling dynamic code generation with the specific purpose of satisfying CSP restrictions:

https://dart.dev/tools/dart2js#:~:text=generated%20from%20packages.-,%2D%2Dcsp,-Disables%20dynamic%20generation

Could this flag be added to the build process that publishes the npm package?

Answer 1 · 2022-01-07T11:18:29.000Z

A few years ago this flag was causing a significant code size increase, so we chose not to use it.

I'll reevaluate its effects for the next validator release. At the very least, we should give users a choice.