JSF code does not work if CSP forbids `eval`/`new Function`

Question

JSF code does not work if CSP forbids `eval`/`new Function`

hilbix opened this issue 2 years ago · 0 comments

If CSP forbids eval and new Function (and <script> injection) for safety, then code transpiled into JSF does no more work. As JSF transpiles the code into a string which must be evaluated.

I think this is a big flaw. Also I consider the use of eval to be cheating, as this way JSF just only does a string conversion and leaves the real dirty part to eval.

Is there a (known) subset (or variant/mode) which would make it able to transpile things into code, which does not need to be evaled? Is this even possible? Of course I think the character set must be slightly extended (like allow of = or some idiomatic function ($){ with a closing }, only used for direct function definition which is allowed under such CSP).

Sorry if this is a FAQ, but I tried myself a few hours and failed even with try to Google for something like that. Am I really the first one to ask?