securedrop.org icon indicating copy to clipboard operation
securedrop.org copied to clipboard
verified publisher icon freedomofpress

Remove unsafe-eval from CSP

Open conorsch opened this issue 7 years ago • 0 comments

Follow-up to #431. As @emkll noted over there:

unsafe-eval is required for client/common/js/common.js:645 and /client/tor/js/torEntry.js:89. We should consider fixing this, as it would be another big win.

@harrislapiroff adds:

Currently it has in the policy unsafe-eval meaning that javascript eval() statements will run. This is necessary because of the way webpack is compiling our javascript, but it would be ideal to get rid of this. I'm looking into why webpack is using eval for compilation (you can see my comments above for the state of the research).

Let's clean up the JS until we can remove unsafe-eval from the CSP_SCRIPT_SRC directive altogether.

conorsch avatar Apr 19 '18 00:04 conorsch