Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsafe eval issues is back #53

Closed
middiu opened this issue Jun 1, 2022 · 5 comments
Closed

Unsafe eval issues is back #53

middiu opened this issue Jun 1, 2022 · 5 comments

Comments

@middiu
Copy link

middiu commented Jun 1, 2022

Hello,

I can see that this issue was fixed almost two years ago, but I still get. #35
I'm using latest version of the library 4.4.4, and this is the error in the browser console:

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://www.googletagmanager.com".

Checking the error it seems to be pointing to ShortUniqueId class constructor.

The only way to use this library now with CSP is to set script-src: 'unsafe-eval' which make CSP useless.
@codebycarlos
Copy link

I'm also getting Uncaught EvalError: call to Function() blocked by CSP

@jeanlescure
Copy link
Collaborator

Interesting, our usage of the Function native class has nothing to do with doing an "eval", even though I am aware that there's such a usage for it.

This is definitely a false positive.

Even though I think it's not a trivial change I'll try to find a workaround to how we define the ShortUniqueId class instance so it continues to work both as an object as well as a function.

@mac-cain13
Copy link

FWIW: I wanted to use this library in a Cloudflare Worker and ran into the code generation error that is also mentioned in #45. The ShortUniqueId class inheriting from Function seems to be what triggers the issue.

Would be great if this can be fixed properly, but to unblock myself I worked around this by creating a fork. The only change is that I removed the inheritance from Function so you must construct the thing as an object. Which is fine for my use case.

The fork can be found here: https://github.com/nonstrict-hq/short-unique-id

@jeanlescure do you have an idea whether this can be fix in a more structural way? Would be great to use this lib in more contexts.

@jeanlescure
Copy link
Collaborator

@mac-cain13 version 5 has just been released and it has been refactored to not be callable as a function: https://github.com/simplyhexagonal/short-unique-id#-v5-notice

Do let us know if the code generation error has gone away.

Cheers 🍻

@jeanlescure
Copy link
Collaborator

Closing issue for now as we had no way to reproduce and new version should address what was originally described.

If problem persists feel free to open a new issue 😃

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@middiu @mac-cain13 @jeanlescure @codebycarlos