Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incompatible with content-security-policy without unsafe-eval #56

Closed
fzembow opened this issue Mar 13, 2021 · 2 comments · Fixed by #57 or #237
Closed

Incompatible with content-security-policy without unsafe-eval #56

fzembow opened this issue Mar 13, 2021 · 2 comments · Fixed by #57 or #237

Comments

@fzembow
Copy link

fzembow commented Mar 13, 2021

Hi! Thanks for maintaining this - I've been using both at work and for personal projects. Great to be able to quickly put together useful graphs.

Recently, I'm using this in an Electron app, which by default has a strict content security policy, blocking eval unless unsafe-eval is explicitly specified, which I wouldn't want to enable for security reasons.

Unfortunately, this line violates the policy, since the Function() constructor is effectively eval.

const globalNS: any = new Function("return this;")();

Perhaps we could use globalThis to get a reference to the global object, no matter the environment, which has decent browser support at this point (aside from IE)? WASM doesn't work in IE11 anyways so we wouldn't be losing much. Not sure if there is much node usage of this module but globalThis was introduced in node 12. The previous node release, 10, is being end-of-lifed on 2021-04-30.

Let me know and I could make a PR for it!
GordonSmith added a commit to GordonSmith/hpcc-js-wasm that referenced this issue Mar 13, 2021
@GordonSmith
fix: Remove "eval" code
4d5a0ee 
Switch to globalThis polyfill (primarily for Node 10)
Fix issue resetting wasmFolder to undefined

Fixes hpcc-systems#56

Signed-off-by: Gordon Smith <[email protected]>
@GordonSmith GordonSmith mentioned this issue Mar 13, 2021
Merged
@GordonSmith
Copy link
Member

FYI the graphviz team are planning a 2.47.0 release on Monday so I can release this fix in tandem with that?

@fzembow
Copy link
Author

fzembow commented Mar 13, 2021

Oh that would be perfect - no rush on my end :)

Have a pleasant weekend!

GordonSmith added a commit that referenced this issue Mar 13, 2021
@GordonSmith
Merge pull request #57 from GordonSmith/GH-56
16b7f92 
fix:  Remove "eval" code
This was referenced Aug 13, 2024
Merged
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Remove "eval" code GordonSmith/hpcc-js-wasm
chore: release trunk hpcc-systems/hpcc-js-wasm
2 participants
@fzembow @GordonSmith