Unsafe eval in function constructor
anthony-arnold opened this issue · comments
The ShortUniqueId constructor contains some eval code.
Inheriting from Function and calling it's constructor violates strict Content-Security-Policy. The only way to use this library with CSP is to set script-src: 'unsafe-eval'
which make CSP kind of useless.
Is there a way to remove this eval code without introducing a regression?
Hi @anthony-arnold , thanks for the report!
I think the Proxy object might be our best bet here to refactor that eval out of our code base.
I'll create a branch and test this out, only regression concern (off the top of my head) might be browser support.
I'll keep this issue updated as progress is done
Hi @anthony-arnold, thanks for waiting this long, last night v3.0.5 was released, it should do away with the CSP warning you were getting and introduces no regression.
Cheers