Tangular icon indicating copy to clipboard operation
Tangular copied to clipboard
verified publisher icon totaljs

Security policy not passing

Open ptorrent opened this issue 1 year ago • 3 comments

Hello,

We're using security header (Content-Security-Policy) on the page and we don't allow unsafe-eval. I see that there is a "new Function" in you code that is blocked by this header....

Refused to evaluate a string as JavaScript because 'unsafe-eval'

Is there a way to change the new Function call ?

ptorrent avatar Jul 15 '24 10:07 ptorrent

Hi. I don't see any workarounds for this case. Tangular compiles the input text into a function. So in this case, it is not possible to use Tangular and our platform (most functionality uses new Function evaluation).

petersirka avatar Jul 15 '24 11:07 petersirka

Ok thanks a lot for your message ! i will find a workaround, maybe you should care about that... a lot of website are using CSP with inline-script not allowed.

ptorrent avatar Jul 15 '24 11:07 ptorrent

I understand and will consider it, but this is the most powerful functionality available in dynamic languages for dynamic parts and components. It's solvable via a precompiled template, so the server must return the compiled function directly.

petersirka avatar Jul 15 '24 12:07 petersirka