box-intersect icon indicating copy to clipboard operation
box-intersect copied to clipboard
verified publisher icon mikolalysenko

Are you using eval?

Open linonetwo opened this issue 6 years ago • 3 comments

I got this:

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'nonce-iEsD2if45rrVbpVQzGD2Cw=='".

linonetwo avatar Feb 09 '20 02:02 linonetwo

Is is, with the Function syntax: https://github.com/mikolalysenko/box-intersect/blob/master/lib/brute.js#L138

tdelmas avatar Feb 16 '20 16:02 tdelmas

Maybe use something like https://github.com/patriksimek/vm2/issues/85

linonetwo avatar Feb 16 '20 16:02 linonetwo

I don't think vm2 will help websites to use safe CSP with this project, also it may harm performances. Maybe an option could specify if we want to switch between the fast generated function, or a not-generated-function if the maintainer really want to keep the generated function?

@mikolalysenko are you interested in a PR to solve that problem? I really think it's important to allow websites to use a strong CSP.

tdelmas avatar Feb 16 '20 16:02 tdelmas