Use of eval which is blocked by script-src Content Security Policy
will-newmarch opened this issue · 4 comments
Is there any possible way the use of 'eval' could be removed from the library? (I realise this might be quite an integral part)
Line 40 in 8cae202
We are having issues with it triggering security warnings around - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
Apparently as part of tightening security using CSP headers eval() is increasingly non-viable.
We're having issues too. Replacing the whole _globals section with window.doT = doT; gets past the first hurdle, but after that, the rest of the code is heavily based on new Function which is eval() in disguise.
We have also ran into this issue with an NPM module due to doT being used as a transient dependency. Using eval is a definite code smell/bad pattern from a security perspective. Is this project under active maintenance anymore? This seems to be a rather contentious issue to ignore.
I had set the Content-Security-Policy to
"script-src 'self' 'unsafe-eval' 'unsafe-inline'; object-src 'self'"
fix the error
The solution is to either allow eval (as above) or better to precompile templates as part of build step and deploy functions.