-
Notifications
You must be signed in to change notification settings - Fork 834
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Content Security Policy: Uncaught EvalError #468
Comments
That won’t work in this case, because EJS works by transpiling the |
that is not the way ejs was used where I worked, it's not how I use it today, and by looking at github search the first 3 i looked at don't use I actually can't even see why you would use Perhaps anyone reading this, because they are using ejs on a site with CSP (where would you not want CSP !?!?) perhaps consider just forking the project Anyway, just thought i'd try to unvendor some forked projects that are poor security (like this one) turns out it is still ignoring CSP |
If somebody wants to submit a PR to fix this, preferably with an accompanying test case, we'd be happy to take a look. However, be aware, this is not the only instance where EJS uses |
Sorry @RyanZim you won't like the state of mine, it's at least 50% removed code, such is the way of forks right? If you are looking for a CSP friendly solution, you'll be removing functionality guaranteed. Mustache counldn't do it so the fork called micromusstache exists for this exact reason. |
Got it, yeah, a fork is probably a necessary evil in that case. |
The two usages I see are:
and
Am I missing any others? Based on a superficial understanding from the comments there, those fallbacks could be removed, leaving it up to the user to configure Babel/etc to be responsible for that legacy support instead. (This is pretty much unavoidable anyway for anyone still supporting IE11 but wanting to use many other common NPM libraries) Alternatively, that removal could be an opt-in if those blocks were surrounded by a conditional that checked something that could be hardcoded by DefinePlugin. Removing the fallbacks would require a new major version, but the DefinePlugin approach wouldn't. Async browser support: https://caniuse.com/async-functions What do you think? Is either of those options (or both?) a viable path forward? Thanks. |
I'm still running into the same issue.. Is there any update? |
We are integrating
We found this potential solution that overcomes this security error (facebook/regenerator#336 (comment)) But it is not approved here yet, is there an update on this issue? |
I just did some checking up, and the fundamental problem is much deeper than just the use of the The real problem is that EJS uses the same construct to execute the programmatically created string of JS source-code that dynamically renders each template. This is the heart of EJS. We used to use EJS is effectively a JavaScript runtime, and given how malleable JavaScript itself is, it can't be locked down and made completely safe at its point of execution. The documentation on CSP notes that the If anybody can come up with an alternative method for dynamically creating and executing JavaScript code on the fly, that doesn't run afoul of the CSP settings which seems specifically designed to prevent it, I am open to trying it. At this point, I am unaware of anything that will do that. I am closing this issue. Apologies for the length of time it remained open. |
I'm using EJS to render templates in a Browser Extension and the use of
new Function("return this;")
is throwing a CSP error. I'm building from the npm package, but looked into the client side distribution and noticed the same eval occurs there as well. (https://github.com/mde/ejs/blob/v2.6.2/lib/ejs.js#L106)Here's an example of a fix that works in the browser extension context. I'd be happy to open a PR and validate the fix in the context if it's an acceptable change.
The text was updated successfully, but these errors were encountered: