Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
Security wise it's preferable to have Content-Security-Policy 'self' for script sources. But using regl with that policy, runs into this error:
This happens in regl's function 'compile', at 'var proc = Function.apply(null, linkedNames.concat(src));'.
After adding 'unsafe-eval' to script source policy, regl runs just fine. But that's arguably a major drawback for using regl.
Is there really no way of avoiding methods similar to eval for parsing regl strings?
But for now that is the essence of regl, experimenting would take weeks and performance is doubtful to match.
Hey, I've gotten a lot of use out of regl, and it allowed me to build https://github.com/jlfwong/speedscope without dealing with a lot of the pain of using WebGL APIs directly while still giving me a lot of control over the performance of the application via low-level primitives. On the whole, I've had a very positive experience both with the documentation and the library itself.
That said, I ultimately had to switch away from it because of its use of eval. In particular, if you want to build WebGL based tools and have them embed into other applications, for many people, it failing on a page with a strict content security policy is a showstopper.
In my particular case, speedscope is an in-browser profiling tool that people want to be able to host within their own domains. GitHub has a strict content security policy, so it blocked the merge of speedscope as the default visualizer for stackprof (See: tmm1/stackprof#100).
Because of this, I need to switch away from regl (See: jlfwong/speedscope#140).
No action needed on the part of regl maintainers, but I thought I would offer this as an example of where this can be a showstopper.
Thanks for writing regl and making it possible for me to make speedscope :)