Content security policy - script-src: unsafe-eval
AlejandroE opened this issue · 1 comments
AlejandroE commented
Using the npm package in a web project with unsafe-eval disabled at CSP level errors with:
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval'
is not an allowed source of script in the following
Content Security Policy directive: "script-src 'self' cdn.xxxxx.com".
at new Function (<anonymous>)
at tearOffGetter (internalAdmin.js:97912)
at tearOff (internalAdmin.js:97914)
at installTearOff (internalAdmin.js:97926)
at installInstanceTearOff (internalAdmin.js:97928)
at internalAdmin.js:97936
at installTearOffs (internalAdmin.js:107733)
at dartProgram (internalAdmin.js:107792)
at Object.<anonymous> (internalAdmin.js:108537)
at Object../node_modules/gltf-validator/gltf_validator.dart.js (internalAdmin.js:108538)
The dart compiler comes with a flag disabling dynamic code generation with the specific purpose of satisfying CSP restrictions:
Could this flag be added to the build process that publishes the npm package?
lexaknyazev commented
A few years ago this flag was causing a significant code size increase, so we chose not to use it.
I'll reevaluate its effects for the next validator release. At the very least, we should give users a choice.