sveltejs/sapper

build/server/server.js is causing a CSP error

maximedupre opened this issue ยท 2 comments

maximedupre commented

Describe the bug
This file contains new Function (injected in the browser), which is a form of eval, which causes a CSP error, unless adding unsafe-eval, which sounds like a big security issue ๐Ÿ˜„

This is the code that seems problematic

if (build_info.bundler === 'rollup') {
	if (build_info.legacy_assets) {
		const legacy_main = `${req.baseUrl}/client/legacy/${build_info.legacy_assets.main}`;
		script += `(function(){try{eval("async function x(){}");var main="${main}"}catch(e){main="${legacy_main}"};var s=document.createElement("script");try{new Function("if(0)import('')")();s.src=main;s.type="module";s.crossOrigin="use-credentials";}catch(e){s.src="${req.baseUrl}/client/shimport@${build_info.shimport}.js";s.setAttribute("data-main",main);}document.head.appendChild(s);}());`;
	} else {
		script += `var s=document.createElement("script");try{new Function("if(0)import('')")();s.src="${main}";s.type="module";s.crossOrigin="use-credentials";}catch(e){s.src="${req.baseUrl}/client/shimport@${build_info.shimport}.js";s.setAttribute("data-main","${main}")}document.head.appendChild(s)`;
	}
} else {
	script += `</script><script src="${main}" defer>`;
}

Logs

The Content Security Policy (CSP) prevents the evaluation of arbitrary strings as JavaScript to make it more difficult for an attacker to inject unathorized code on your site.
To solve this issue, avoid using eval(), new Function(), setTimeout([string], ...) and setInterval([string], ...) for evaluating strings.
If you absolutely must: you can enable string evaluation by adding unsafe-eval as an allowed source in a script-src directive.
โš ๏ธ Allowing string evaluation comes at the risk of inline script injection.

Information about your Sapper Installation:

System:
OS: macOS 10.15.7
CPU: (8) x64 Intel(R) Core(TM) i7-3820QM CPU @ 2.70GHz
Memory: 60.69 MB / 16.00 GB
Shell: 5.7.1 - /bin/zsh
Binaries:
Node: 14.15.0 - /usr/local/bin/node
Yarn: 1.22.10 - /usr/local/bin/yarn
npm: 6.14.8 - /usr/local/bin/npm
Watchman: 4.9.0 - /usr/local/bin/watchman
Browsers:
Brave Browser: 86.1.16.68
Chrome: 86.0.4240.111
Chrome Canary: 88.0.4310.0
Firefox: 79.0
Safari: 14.0
npmPackages:
rollup: 2.24.0 => 2.24.0
sapper: 0.28.0 => 0.28.0
svelte: 3.24.1 => 3.24.1

justinwerner commented

This is also a problem for me, when it used to not be. :( Does anyone know when this was put in?

keywan-ghadami-oxid commented

is there a known workaround for this eval?
I guess it is only a kind of feature check.