Unsafe eval issues is back
middiu opened this issue · comments
Hello,
I can see that this issue was fixed almost two years ago, but I still get. #35
I'm using latest version of the library 4.4.4, and this is the error in the browser console:
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://www.googletagmanager.com".
Checking the error it seems to be pointing to ShortUniqueId class constructor.
The only way to use this library now with CSP is to set script-src: 'unsafe-eval' which make CSP useless.
I'm also getting Uncaught EvalError: call to Function() blocked by CSP
Interesting, our usage of the Function native class has nothing to do with doing an "eval", even though I am aware that there's such a usage for it.
This is definitely a false positive.
Even though I think it's not a trivial change I'll try to find a workaround to how we define the ShortUniqueId class instance so it continues to work both as an object as well as a function.
FWIW: I wanted to use this library in a Cloudflare Worker and ran into the code generation error that is also mentioned in #45. The ShortUniqueId
class inheriting from Function
seems to be what triggers the issue.
Would be great if this can be fixed properly, but to unblock myself I worked around this by creating a fork. The only change is that I removed the inheritance from Function
so you must construct the thing as an object. Which is fine for my use case.
The fork can be found here: https://github.com/nonstrict-hq/short-unique-id
@jeanlescure do you have an idea whether this can be fix in a more structural way? Would be great to use this lib in more contexts.
@mac-cain13 version 5 has just been released and it has been refactored to not be callable as a function: https://github.com/simplyhexagonal/short-unique-id#-v5-notice
Do let us know if the code generation error has gone away.
Cheers 🍻
Closing issue for now as we had no way to reproduce and new version should address what was originally described.
If problem persists feel free to open a new issue 😃