MSIE detection uses eval which is blocked by browser Content Security Policy

Question

MSIE detection uses eval which is blocked by browser Content Security Policy

Closed this issue 10 years ago · 9 comments

Hi,

This line in history.js:

var msie = window['eval'] && eval("/@cc_on 1;@/");

causes a problem if the server sends a Content-Security-Policy header. JS execution is stopped and the console gives errors like this:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'

The use of eval is not permitted. More info here:

http://www.html5rocks.com/en/tutorials/security/content-security-policy/#eval-too

I've done a little tweaking and I believe this would work just as well, without the use of eval:

var msie = /*@cc_on 1!@*/false;

Thanks.

Answer 1 · 2014-11-04T17:41:59.000Z

Hi, thanks for comment

I've done a little tweaking and I believe this would work just as well, without the use of eval:

eval is needed for what would Google Closure Compiler did not delete this line when compiling

Answer 2 · 2014-11-04T18:07:20.000Z

There is a solution:

var msie = global['execScript'] && (global['execScript']('var documentMsie/*@cc_on =1@*/;', 'JavaScript'), global.documentMsie);

Please check this solution, Thank you!

Answer 3 · 2014-11-04T18:13:44.000Z

Hi,

Thank you! I'll check it as soon as I get into the office tomorrow.

Simon
On 4 Nov 2014 18:07, "Dmitrii Pakhtinov" notifications@github.com wrote:

There is a solution:

var msie = global['execScript'] && (global['execScript']('var documentMsie/@cc_on =1@/;',), global.documentMsie);

Please check this solution, Thank you!

—
Reply to this email directly or view it on GitHub
#70 (comment)
.

Answer 4 · 2014-11-04T18:17:12.000Z

Okay, waiting for tomorrow.

Answer 5 · 2014-11-05T10:05:54.000Z

Hi Dmitrii,

Unfortunately this causes an error in Chrome and possibly other browsers:

Uncaught ReferenceError: global is not defined

Si

On 4 November 2014 18:17, Dmitrii Pakhtinov notifications@github.com
wrote:

Okay, waiting for tomorrow.

—
Reply to this email directly or view it on GitHub
#70 (comment)
.

Answer 6 · 2014-11-05T14:10:29.000Z

Very strange, I checked in chrome, no problems.

You simply change the line in 1136 ?

Answer 7 · 2014-11-05T14:15:51.000Z

Sorry my mistake. I didn't realise we had an out of date version of
history.js. No errors now. Thank you!

On 5 November 2014 14:10, Dmitrii Pakhtinov notifications@github.com
wrote:

Very strange, I checked in chrome, no problems.

You simply change the line in 1136 ?

—
Reply to this email directly or view it on GitHub
#70 (comment)
.

Answer 8 · 2014-11-05T15:01:51.000Z

it's good

I add this solution to a release

Answer 9 · 2014-11-05T15:08:27.000Z

Great stuff. Thanks for your help.

On 5 November 2014 15:01, Dmitrii Pakhtinov notifications@github.com
wrote:

it's good

I add this solution to a release

—
Reply to this email directly or view it on GitHub
#70 (comment)
.