-
Notifications
You must be signed in to change notification settings - Fork 100
Support a strict CSP without 'unsafe-eval' #303
Comments
You can use The core of why the function constructor is used is that MDX compiles to React code that needs to be executed while markdown compiles to HTML. Typically remark is inserted with the dangerouslysetinnerhtml api, so they both expose you to roughly the same surface area for XSS. There are two ways to use MDX, one is similar to the I'm open to different approaches that might allow more regular Gatsby usage for layouts, etc and also remove the function constructor usage. One idea I have is similar to what rehype-react does, in which we could have a |
Thanks for your comments, @ChristopherBiscardi. One difference between |
@morloy @ChristopherBiscardi I'm facing the same issue. Could you please share a working example of how to go about it, please. Basically, I create dynamic pages via the following code
I use So I'm not exactly sure how to go about,
|
@aTechGuide use the src/pages support that does this by default or your createPages call needs to point to a mdx file: |
@ChristopherBiscardi Thank you so much for such a prompt response. I did try the fix in my gatsby theme but it seems the PR for the fix: https://github.com/aTechGuide/gatsby-theme-blog-starter/pull/1/files Please let me know If I'm missing something and thanks for your help. |
@aTechGuide You're still seeing the issue because you haven't fundamentally changed your code. You can't use If you want to use |
@ChristopherBiscardi ah, I see now. These are my changes: aTechGuide/gatsby-theme-blog-starter#1 Thank you so much @ChristopherBiscardi for all your help. Really appreciate it |
Is your feature request related to a problem? Please describe.
We had been using a strict Content-Security-Policy on our website. After switching from Remark to MDX we noticed that it doesn’t work anymore. The reason for this is this call, that evaluates JS code in string:
gatsby-mdx/packages/gatsby-mdx/mdx-renderer.js
Line 22 in 25cce51
Describe the solution you'd like
Allowing
unsafe-eval
open the possibility to some XSS attacks. Thus, it would be nice to have MDX working without it.I’m not an expert on this, but maybe Gatsby allows to programatically create pages from the React code that results from MDX.
The text was updated successfully, but these errors were encountered: