turf icon indicating copy to clipboard operation
turf copied to clipboard

Published 20 hours ago verified publisher icon Turfjs

error loading turf with browser policy (CSP) and disableEval()

Open tcastelli opened this issue 10 years ago • 14 comments

Hello, not sure if this is something easy/possible, but when using CSP on a site and disabling the use of eval() or similar to avoid XSS on websites, i get the following error while loading turjs Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' turf.min.js:16:16187

Is it possible to refactor the library to avoid using eval strings to code?

Thanks! :)

tcastelli avatar Jun 01 '15 00:06 tcastelli

@tcastelli as far as I can see, we don't have any calls to eval() in any of our packages: can you use an uncompressed build of Turf to find a more precise error report?

tmcw avatar Feb 27 '16 15:02 tmcw

Closing: please reopen if you can give a more specific report.

tmcw avatar Feb 29 '16 16:02 tmcw

I'm getting a similar error when the code is evaluated: Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'

The referenced lines are lines 5625-5628 in the un-minified turf.js I got off github for v2.0.0 Is there any way around this without modifying the CSP?

Lknechtli avatar May 24 '16 13:05 Lknechtli

@Lknechtli Looks like this is the result of code in robust-orientation, one of the nested dependencies of turf-convex, using new Function to generate functions.

Without entirely replacing / reimplementing turf-convex to avoid the evals, it looks like you're stuck modifying CSP, or using a custom turf build that doesn't include turf-convex

tcql avatar May 24 '16 20:05 tcql

Does that mean this is not being considered?

I'm kind of blocked on using turf, I'd really prefer to not fork.

rimig avatar Mar 02 '17 17:03 rimig

I doubt this will be considered for now until the dependency is fixed.

Have you considered simply importing the modules you want via npm and building your own bundle with Webpack or Browserify?

@rimig Which Turf modules are you interested in using? This issue is only relevant for @turf/convex and the entire browser Turf build.

DenisCarriere avatar Mar 02 '17 17:03 DenisCarriere

@DenisCarriere yea I'm all set. I just needed @turf/along and @turf/line-distance.

rimig avatar Mar 04 '17 16:03 rimig

👍 Awesome stuff, it's definitely easier to load individual modules instead of the whole thing.

DenisCarriere avatar Mar 04 '17 16:03 DenisCarriere

Thanks for the info! I'm running into this same issue, and filed https://github.com/mikolalysenko/robust-orientation/issues/4 on the dependency involved.

donmccurdy avatar Aug 22 '18 23:08 donmccurdy

I'm trying to use @turf/center-of-mass, but I get the same error. It points to orientation.js from robust-orientation. Is there any update on how to proceed?

toolchild avatar May 13 '20 12:05 toolchild

I'm also running into the same issue. Having to change the CSP to address security flaws in a library seem like a bad idea. Having to cherry pick modules because of the security flaws also seems like a bad idea, since the module I need has this flaw.

This seems to have been going on for quite some time and I'm wondering if there are plans to update this library to make it safe or if there is an alternative library which can accomplish similar results without the security issues.

coros-sanborn avatar May 13 '20 16:05 coros-sanborn

any solution?

VitorBrangioni avatar Nov 07 '22 21:11 VitorBrangioni

None that I know of. So far, we've had to look for other options outside of using Turf.

Carolyn Oros Principal Software Architect

Sanborn 1935 Jamboree Drive, Suite 100 Colorado Springs, CO 80920-5358

From: Vitor Brangioni @.> Sent: Monday, November 7, 2022 2:04 PM To: Turfjs/turf @.> Cc: Oros, Carolyn @.>; Comment @.> Subject: Re: [Turfjs/turf] error loading turf with browser policy (CSP) and disableEval() (#261)

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

any solution?

— Reply to this email directly, view it on GitHubhttps://github.com/Turfjs/turf/issues/261#issuecomment-1306188757, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AHHKQB4MGYATTIZTRPVFKUDWHFVEXANCNFSM4BGIBV4A. You are receiving this because you commented.Message ID: @.***>

This email, including any attachments, contains information intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and/or confidential or is otherwise protected by law. If you are not the intended recipient or agent or an employee responsible for delivering the communication to the intended recipient, you are hereby notified that any review, use, disclosure, copying and/or distribution of its contents is prohibited. If you have received this e-mail in error, please notify us immediately by reply to sender only and destroy the original.

coros-sanborn avatar Nov 07 '22 21:11 coros-sanborn

any solution?

aungmyooo2k17 avatar Dec 14 '23 05:12 aungmyooo2k17

From what I can see the robust-orientation dependency is no longer part of Turf v7. That should have resolved this so will close this issue. Please reopen if it's still a problem after upgrading.

smallsaucepan avatar Jun 30 '24 15:06 smallsaucepan