Content Security Policy infringing code
kyranjamie opened this issue · 1 comments
kyranjamie commented
This package depends on ajv
which internally uses new Function(..., sourcecode)
, equivalent to eval()
. This is documented in their readme.
The result of this is that any package bundling conf
(or electron-store
) infringes secure CSPs. That is, a CSP without an 'unsafe-eval'
directive.
Ideally, a package shouldn't prohibit use of a strict CSP.
- Are there any workarounds I'm not aware of that can be documented?
- Does this package need to be modularised so that those with no CSP & wanting schema validation can have this functionality?
kyranjamie commented
A workaround can be found in this PR leather-io/desktop#299
If you don't need to use the schema validation functionality, omit ajv
, and create an alias to a stub.
plugins: [
new webpack.IgnorePlugin(/ajv/, /^conf$/),
]