-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
@protobufjs/inquire violates default content security policy #997
Comments
I have the same problem. Electron 2.0.0 now prints out a warning if the web page has no Content-Security-Policy, or if it has one but |
From the perspective of a security engineer who deploys Content Security Policy across a large number of applications, it would be great to have this code refactored to not rely on If this is difficult to refactor, just making sure that this is only executed in non-browser environments would be a reasonable workaround. |
How about using const mod = new Function("id", "return require(id)")(moduleName) |
|
I've replaced protobuf.js with https://github.com/mapbox/pbf |
protobuf.js version: 6.8.6
There's a special code inside
@protobufjs/inquire
:If I apply "Content-Security-Policy" without additional exceptions to allow
eval
than it's prohibited. Actually it's the onlyeval
in my ~1Mb minified file.Probably there's a way to avoid it and become CSP compliant?
UPD: I'm using minimal variant with everything inbuilt.
The text was updated successfully, but these errors were encountered: