-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problems with CSP #86
Comments
I have such a policy on the website if (window.trustedTypes && window.trustedTypes.createPolicy) {
window.trustedTypes.createPolicy('default', {
createScriptURL: (urlStr: string) => {
if (typeof urlStr !== 'string') {
throw new TypeError('invalid URL');
}
const url = new URL(urlStr, window.location.origin);
if (url.origin !== window.location.origin) {
throw new TypeError('invalid URL');
}
return urlStr;
},
createScript: (string) => string,
});
} But the code above still causes an CSP error I started debugging the code and looked at the error in catch
|
So you are getting an error thrown before the unpack.js module even starts running (so the try/catch won't catch this). I suppose maybe I could add something to the build script to generate an unpack-safe.js or unpack-noeval.js that strips out the |
If this code is no longer present in the library, it will definitely help But the decision to split the code into 2 because of one line is not very optimal... |
This should be addressed in v1.8.0, with a separate dist/build of msgpackr that does not use |
Thanks! |
It is the dist/index-no-eval.js file (and yes, it is in the docs). |
Thanks! |
I'm sorry but I get error when try to import import { Packr } from 'msgpackr/dist/index-no-eval'; webpack error:
also Typescript types do not work with such an import |
you need to add to package.json entry "files": [
"dist/**",
] |
Sorry, I didn't realize you were loading these as modules. Are you wanting to load the entire msgpackr bundle as a module, or specifically the unpack module (without Function/eval)? |
on the server I use only the unpack module and this is what I use CSP I need a module without eval |
Published and export (msgpackr/unpack-no-eval) in v1.8.1. |
everything is ok with the import, but the types for this module are not available ( |
There is a code in the library
It causes problems when using Trustedtypes on the site
In addition to the fact that the code generates an error, it is also blocked
The text was updated successfully, but these errors were encountered: