messageformat requires unsafe-eval in Content-Security-Policy #180
Comments
|
If you build your messages (say, as part of your webpack build), they get built into very small, fast functions that don’t violate |
|
I have a use case where the message strings are only available at runtime, not build-time, and I cannot change the CSP to allow eval. Is there any hope for a mechanism that will allow messageformat to work in that environment? |
|
it’s unlikely with our setup I think. The formatjs folks have their own
very similar version though `intl-messageformat` I’m pretty sure. That’ll
do what you’re looking for.
…On Sun, Mar 4, 2018 at 12:23 AM Simon Tesla ***@***.***> wrote:
I have a use case where the message strings are only available at runtime,
not build-time, and I cannot change the CSP to allow eval. Is there *any*
hope for a mechanism that will allow messageformat to work in that
environment?
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#180 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAF5KkodbBRj5qb5JcVa2oCxfGYxUI2Wks5ta6RpgaJpZM4P6xv_>
.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When using a CSP which does not allow unsafe-eval, the 'new Function' throws an EvalError, as per the spec.
However, messageformat uses this:
if (typeof messages != 'object') {
var fn = new Function(
'number, plural, select, fmt', Compiler.funcname(locale),
'return ' + obj);
var rt = this.runtime;
return fn(rt.number, rt.plural, rt.select, this.fmt, pf[locale]);
}
Is there another way to fix this.
The text was updated successfully, but these errors were encountered: