pdfkit fails with Content-Security-Policy enabled #1104
Comments
|
Version of restructure is defined in fontkit. I have maintainer access to pdfkit and restructure. But no to fontkit... therefore, the solution is problematic. @devongovett fontkit requires an update. |
|
Seems the isuse was fixed in fontkit 1.8.1? :) Edit: I read the commit message, but didn't see the diff. restructure was not bumped in this release. |
|
No, in fontkit version 1.8.1 is not fixed. |
|
As far as I understand, this has to be fixed in fontkit, but no issue is linked. Does the issue still need to be created?
@martynasma Which version of restructure fixes the issue? There is a PR to update restructure to v2. However, it seems that the repository is not maintained anymore. I'll contact @devongovett, who seems to be the only one with permissions to that repository. |
Bug Report
Hey from amCharts. We're using pdfkit (indirectly via pdfmake) to export charts to PDF in our flagship dataviz lib, and running into a bit of an issue with security-conscious users.
Description of the problem
pdfkit fails with a critical security error if the page has
Content-Security-Policyenabled. E.g.:The above header prevents in-line script creation, which is a reasonable security measure, preventing any unauthorized JS code to be activated on the we page.
It originates in
Pointerfunction which for some reason is using eval'ed code to generate function references:The function comes from an old version of restructure used by one of pdfkit's dependencies - fontkit.
The issue has already been addressed in restructure, so it's just a matter of upgrading the whole chain of dependencies. Taking into account that all three libs are maintained by foliojs, it shouldn't be that hard? ;)
Live examples
With CSP enabled (failing, see browser console):
http://test.amcharts.com/demo/pdfkit/with-CSP/
Without CSP (working fine)
http://test.amcharts.com/demo/pdfkit/without-CSP/
Your environment
The text was updated successfully, but these errors were encountered: