Unsafe eval issues is back

[middiu]

Hello,

I can see that this issue was fixed almost two years ago, but I still get. #35
I'm using latest version of the library 4.4.4, and this is the error in the browser console:

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://www.googletagmanager.com".

Checking the error it seems to be pointing to ShortUniqueId class constructor.

The only way to use this library now with CSP is to set script-src: 'unsafe-eval' which make CSP useless.

[codebycarlos]

I'm also getting Uncaught EvalError: call to Function() blocked by CSP

[jeanlescure]

Interesting, our usage of the Function native class has nothing to do with doing an "eval", even though I am aware that there's such a usage for it.

This is definitely a false positive.

Even though I think it's not a trivial change I'll try to find a workaround to how we define the ShortUniqueId class instance so it continues to work both as an object as well as a function.

[mac-cain13]

FWIW: I wanted to use this library in a Cloudflare Worker and ran into the code generation error that is also mentioned in #45. The ShortUniqueId class inheriting from Function seems to be what triggers the issue.

Would be great if this can be fixed properly, but to unblock myself I worked around this by creating a fork. The only change is that I removed the inheritance from Function so you must construct the thing as an object. Which is fine for my use case.

The fork can be found here: https://github.com/nonstrict-hq/short-unique-id

@jeanlescure do you have an idea whether this can be fix in a more structural way? Would be great to use this lib in more contexts.

[jeanlescure]

@mac-cain13 version 5 has just been released and it has been refactored to not be callable as a function: https://github.com/simplyhexagonal/short-unique-id#-v5-notice

Do let us know if the code generation error has gone away.

Cheers 🍻

[jeanlescure]

Closing issue for now as we had no way to reproduce and new version should address what was originally described.

If problem persists feel free to open a new issue 😃