nbind
nbind copied to clipboard
Use of `eval` violates Content Security Policy in browsers
Hi,
I'm posting this issue as an indirect user of the product of your library, so sorry for any misunderstandings about how things work on my end.
Long story short, eval
is a somewhat contentious function in browser-land, and often a Content Security Policy for a website will prevent its use to avoid accidentally leaving any attack vectors open for running user-generated code.
I was looking to use React PDF, a popular library to render a PDF in a React app, which uses several dependencies to accomplish that task. One of its dependencies is Yoga, a cross-platform rendering engine that uses this project.
Ok, so that's how I got here. The issue with react-pdf
is summarized well in my issue there: https://github.com/diegomura/react-pdf/issues/510 . The owner of that repo suggested at least trying to start a conversation here.
I'm making this issue here to ask if it's at all possible for this project to not use eval
. I ask that with some hesitation, because I have a feeling it's fairly core to the functionality here, but it is worth asking. I know that this project is fairly far away from browser interaction in terms of intended scope, and on top of that it is working to bridge C++ and JS, so the answer may very likely be "no," but here I am 😄
Hi Team,
We have also used the same @react-pdf/renderer package but getting the CSP issue in the chrome browser, is anybody has any update on this or any workaround?
Thanks & Regards, Shyam Agarwal
Any updates ?
Any updates on this?
Also curious on this?
Would be great to fix this.
I think this issue at least deserves a response from the maintainers? Even if it’s a ‘no, we‘re not gonna spend time looking into that’?
Would be great to fix this, +1