Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content Security Policy infringing code #126

Open
kyranjamie opened this issue Sep 14, 2020 · 1 comment
Open

Content Security Policy infringing code #126

kyranjamie opened this issue Sep 14, 2020 · 1 comment

Comments

@kyranjamie
Copy link

kyranjamie commented Sep 14, 2020
edited
Loading

This package depends on ajv which internally uses new Function(..., sourcecode), equivalent to eval(). This is documented in their readme.

The result of this is that any package bundling conf (or electron-store) infringes secure CSPs. That is, a CSP without an 'unsafe-eval' directive.

Ideally, a package shouldn't prohibit use of a strict CSP.

  • Are there any workarounds I'm not aware of that can be documented?
  • Does this package need to be modularised so that those with no CSP & wanting schema validation can have this functionality?
@kyranjamie kyranjamie mentioned this issue Sep 18, 2020
Closed
@kyranjamie
Copy link
Author

A workaround can be found in this PR leather-io/desktop#299

If you don't need to use the schema validation functionality, omit ajv, and create an alias to a stub.

plugins: [
  new webpack.IgnorePlugin(/ajv/, /^conf$/),
]

@kyranjamie kyranjamie mentioned this issue Oct 29, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kyranjamie