Issues with Content Security Policy

[kailashrdave]

We are using CASL for our project to check permissions.
recently we encountered that there are some issues with CSP in our application.
Going further, we found that it is because of sift.js which has something like following in javascsript...

return"string"==typeof e?new Function("obj","return "+e)

CASL uses "sift" for Mongo DB like filters in javascript.
I tried to go through CASL documentation, but found nothing related to CSP or Security.
Has anybody got this issue before? Is it possible to fix this without adding "unsafe-eval"

following is the code snippet from stif.js which causes problem

[stalniy]

@crcn Any thoughts?

[kailashrdave]

@crcn , @stalniy , could you please help to fix this issue.

[stalniy]

@crcn the simplest way to support this from your side is to provide CSP compliant version as a separate bundle e.g. sift.csp.min.js

Update: This version of bundle won't support new Function in $where operator

[stalniy]

I can send a PR for this, otherwise I would be forced to publish a forked version...

[crcn]

the simplest way to support this from your side is to provide CSP compliant version as a separate bundle e.g. sift.csp.min.js

great idea 👍. If you want to submit a PR I'd be happy to merge it in.

[crcn]

However, what are your thoughts around removing the eval code? That would obviously require a major version bump.

[stalniy]

You don’t need a major version bump. You will have just an additional file. So eventually there will be 2 files: sift.js and sift.csp.js

People will be able to use whatever file fits their needs.

The plan is to add if statement with process.env.CSP_ENABLED. Using webpack or rollup (roll up is better to library development, less overhead in the bundle) I can inject this property and create 2 different files:

• one the same as now (sift.js) CSP_ENABLED = false
• and csp compliant version CSP_ENABLED = true

Uglifier can optimize this if (i.e. remove it)

[stalniy]

Are you ok to replace webpack with rollup? because I see that you started to integrate it :)

[stalniy]

No worries I will use webpack :)

[stalniy]

Done, now there is a new sift.csp.min.js file, which people can require using:

• require('sift/sift.csp.min')
• import sift from 'sift/sift.csp.min'

in order to use CSP compliant version, for the rest of the world everything remains the same, so this is a minor version update

[crcn]

Thanks @stalniy! Published to NPM as 9.0.1. Lmk if your issue is fixed @kailashrdave.

[stalniy]

I missed one important thing... Webpack uses window as default global variable and for proper UMD build it should be this

[stalniy]

please check #170