Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JS: Comply with CSP no-unsafe-eval. #8864

merged 1 commit into from Oct 14, 2021


Copy link

@MarnixBouhuis MarnixBouhuis commented Aug 6, 2021

The current implementation uses Function('return this')() to get the global object. This does not work if you are using protobuf on the web and you disallow unsafe-eval with a CSP header.

This PR changes the way the global object is retrieved: it calls a function and sets this to the global object by calling it with .call(null). Then this is returned.

Note: this won't work when you are using js strict mode (use strict).
If running in strict mode, it will use different fallbacks (that work with CSP settings that disallow eval), if none work it will fall back to the current way of getting the global object.

This fixes:

@google-cla google-cla bot added the cla: yes label Aug 6, 2021
@acozzette acozzette requested a review from lukesandberg Aug 13, 2021
@acozzette acozzette added javascript release notes: yes kokoro:run labels Oct 12, 2021
@acozzette acozzette merged commit 6bc21b5 into protocolbuffers:master Oct 14, 2021
45 of 47 checks passed
Copy link

@acozzette acozzette commented Oct 14, 2021

Thanks, @MarnixBouhuis.

Copy link
Contributor Author

@MarnixBouhuis MarnixBouhuis commented Oct 15, 2021

Thanks for merging!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
cla: yes javascript release notes: yes
None yet

Successfully merging this pull request may close these issues.

None yet

3 participants