Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

eval usage is not allowed when using a sensible CSP #106

Closed
buesing opened this issue Jun 4, 2021 · 1 comment
Closed

eval usage is not allowed when using a sensible CSP #106

buesing opened this issue Jun 4, 2021 · 1 comment

Comments

@buesing
Copy link

buesing commented Jun 4, 2021

I recently added a content security policy to my site and now I'm seeing this error:
nextZero EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' blob:".. It's because this library is using an eval call here:

browser-image-compression/lib/web-worker.js

Line 35 in 0191a7a

result[key] = eval(value.replace(/^BIC_FN:::/, ''))

I'm wondering if this can be rewritten to use a different parsing strategy. Using eval is generally discouraged.
Donaldcwl added a commit that referenced this issue Feb 15, 2023
@Donaldcwl
fix: solve error in sensible CSP environment #106
d33605f
Donaldcwl added a commit that referenced this issue Feb 15, 2023
@Donaldcwl
fix: solve error in sensible CSP environment #106, circular dependency
f222d95 
…#34
This was referenced Mar 5, 2023
Closed
Merged
@Donaldcwl
Copy link
Owner

Removed use of eval in v2.0.1.
Please read: https://github.com/Donaldcwl/browser-image-compression#remarks-on-content-security-policy-csp

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@buesing @Donaldcwl