New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed #491

Closed
guilala opened this Issue May 18, 2018 · 3 comments

Comments

Projects
None yet
3 participants
@guilala

guilala commented May 18, 2018

Security wise it's preferable to have Content-Security-Policy 'self' for script sources. But using regl with that policy, runs into this error:

EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".

This happens in regl's function 'compile', at 'var proc = Function.apply(null, linkedNames.concat(src));'.

After adding 'unsafe-eval' to script source policy, regl runs just fine. But that's arguably a major drawback for using regl.

Is there really no way of avoiding methods similar to eval for parsing regl strings?

@dy

This comment has been minimized.

Show comment
Hide comment
@dy

dy May 18, 2018

Contributor
  • Conceivably there could be a static way to precompile shaders, eg. reglify transform.
  • Possibly an alternative implementation of generic function with configurable variables is also possible.

But for now that is the essence of regl, experimenting would take weeks and performance is doubtful to match.

Contributor

dy commented May 18, 2018

  • Conceivably there could be a static way to precompile shaders, eg. reglify transform.
  • Possibly an alternative implementation of generic function with configurable variables is also possible.

But for now that is the essence of regl, experimenting would take weeks and performance is doubtful to match.

@guilala

This comment has been minimized.

Show comment
Hide comment
@guilala

guilala May 30, 2018

Thanks for answer, good to know. 'll have add the policy, since regl is worth it :-)

guilala commented May 30, 2018

Thanks for answer, good to know. 'll have add the policy, since regl is worth it :-)

@guilala guilala closed this May 30, 2018

@jlfwong

This comment has been minimized.

Show comment
Hide comment
@jlfwong

jlfwong Aug 19, 2018

Hey, I've gotten a lot of use out of regl, and it allowed me to build https://github.com/jlfwong/speedscope without dealing with a lot of the pain of using WebGL APIs directly while still giving me a lot of control over the performance of the application via low-level primitives. On the whole, I've had a very positive experience both with the documentation and the library itself.

That said, I ultimately had to switch away from it because of its use of eval. In particular, if you want to build WebGL based tools and have them embed into other applications, for many people, it failing on a page with a strict content security policy is a showstopper.

In my particular case, speedscope is an in-browser profiling tool that people want to be able to host within their own domains. GitHub has a strict content security policy, so it blocked the merge of speedscope as the default visualizer for stackprof (See: tmm1/stackprof#100).

Because of this, I need to switch away from regl (See: jlfwong/speedscope#140).

No action needed on the part of regl maintainers, but I thought I would offer this as an example of where this can be a showstopper.

Thanks for writing regl and making it possible for me to make speedscope :)

jlfwong commented Aug 19, 2018

Hey, I've gotten a lot of use out of regl, and it allowed me to build https://github.com/jlfwong/speedscope without dealing with a lot of the pain of using WebGL APIs directly while still giving me a lot of control over the performance of the application via low-level primitives. On the whole, I've had a very positive experience both with the documentation and the library itself.

That said, I ultimately had to switch away from it because of its use of eval. In particular, if you want to build WebGL based tools and have them embed into other applications, for many people, it failing on a page with a strict content security policy is a showstopper.

In my particular case, speedscope is an in-browser profiling tool that people want to be able to host within their own domains. GitHub has a strict content security policy, so it blocked the merge of speedscope as the default visualizer for stackprof (See: tmm1/stackprof#100).

Because of this, I need to switch away from regl (See: jlfwong/speedscope#140).

No action needed on the part of regl maintainers, but I thought I would offer this as an example of where this can be a showstopper.

Thanks for writing regl and making it possible for me to make speedscope :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment