Shifty will not run when Content Security Policy directive blocks 'unsafe-eval'
louh opened this issue · 5 comments
Shifty will be blocked if it's run on a page whose Content Security Policy (CSP) does not permit 'unsafe-eval'. It seems to be coming from here: https://github.com/jeremyckahn/shifty/blob/master/src/tweenable.js#L9 where new Function() is invoked to return the global object.
The issue with allowing unsafe-eval for this one case (where it's actually safe, since the function does not involve any untrusted input) is that it opens up unsafe eval() (or similar string-evaluated functions) from other sources. Can there be an alternate way of accessing the global object that doesn't require permissive CSP directives?
Happy to make a PR, if you'd like.
Oh I see - this was a recent change made in 2.0.3 (via 14facbe). What is it fixing? Just curious.
Hi @louh, thanks for opening this issue! To be honest, I can't remember why I made the change in 14facbe... which I realize isn't a great answer. 😬 I vaguely remember it being something related to a Webpack/build artifact issue, but I can't honestly recall.
I just tried reverting that line in my local environment, and doesn't seem to be breaking anything. I'll put together a PR in a moment for you to try out!
The fix has been released in 2.2.1. Thanks again for reporting!
Got it - thanks again so much for your help, and for maintaining this library!