Compatibility with Content Security Policy without 'unsafe-eval'? #162
Comments
|
Just noticed the |
|
Thanks for digging into this! I recently did a big dependency update of the mashlib stack but didn't drill down into solid-auth-client. Sounds like I should have, so I made a note of it. I'll try to find time to look into this! |
|
Presumably this issue can now be closed as no longer relevant given that solid-auth-client is now a legacy library and there are other more major security issues? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I tried to use
solid-auth-client.bundle.jsto add solid to an existing website that uses Content Security Policy and ran into the error:EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: ...Obviously the error can be avoided by setting
unsafe-eval, but it would be great if this wasn't necessary.It appears the error is due to
Functionconstructor calls in solid-auth-client dependencies.The ones I found are:
@trust/json-document, which it appears is a dependency of@solid/oidc-rpboth directly and indirectly via@solid/jose.https://github.com/anvilresearch/json-document/blob/c2be5e377ebfda753ec9753d5107557617e08b64/src/Validator.js#L64
https://github.com/anvilresearch/json-document/blob/c2be5e377ebfda753ec9753d5107557617e08b64/src/Initializer.js#L34
In the webpack build of browser/index.js:
It appears this is a webpack configuration issue somewhere, requiring a
node:falsesetting?https://stackoverflow.com/questions/48695579/how-to-remove-eval-and-function-constructor-from-webpack-build-to-avoid-csp-issu
Fixing this is a bit out of my depth but I thought I'd share what I discovered so far...
The text was updated successfully, but these errors were encountered: