formBuilder icon indicating copy to clipboard operation
formBuilder copied to clipboard

Published 20 hours ago verified publisher icon kevinchappell

Content Security Policy and formbuilder

Open mkgn opened this issue 2 years ago • 2 comments

Description: form-builder.min.js doesn't work with CSP without unsafe-eval

Environment Details:

  • formBuilder Version: 3.7.2
  • Browser: Latest browsers
  • OS: Any

Expected Behavior:

Should align with CSP to maintain security

Actual Behavior :

complains with below error (see image as well)

[Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".

image

Steps to Reproduce

Just include the script, set CSP headers and check browser console.

mkgn avatar Apr 28 '22 06:04 mkgn

@mkgn do you know what line of code is triggering that error? formBuilder doesn't use eval image

kevinchappell avatar Apr 28 '22 16:04 kevinchappell

Hmm... it's funny... the line it shows in console is 19. When you apply a CSP policy with "script-src 'self' does it complain?

mkgn avatar May 01 '22 07:05 mkgn

Got a similar error, seems to load in a lang file.

I uglified the min file. I think you see which part of the code is trigger the CSP block.

Screen Shot 2022-09-04 at 23 39 54 Screen Shot 2022-09-04 at 23 40 30

jorgeuos avatar Sep 04 '22 21:09 jorgeuos

@kevinchappell , The eval is injected by webpack 4.4 node.js global polyfill https://github.com/webpack/webpack/blob/webpack-4/buildin/global.js

new Function("return this")()

the simplest method to fix this is to disable injection of the polyfill in the webpack config

node: { global: false, }

I'll submit a PR

lucasnetau avatar Sep 28 '22 01:09 lucasnetau

Got a similar error, seems to load in a lang file.

I uglified the min file. I think you see which part of the code is trigger the CSP block.

Screen Shot 2022-09-04 at 23 39 54 Screen Shot 2022-09-04 at 23 40 30

@jorgeuos You either need to allow this in your CSP to load the language file, or download the required language file and deploy it as part of your applications assets.

You can configure which lang file to use via the

i18n: {
    locale: 'en-US',
    location: "/path/to/lang/files"
}

lucasnetau avatar Sep 28 '22 01:09 lucasnetau

@jorgeuos You either need to allow this in your CSP to load the language file, or download the required language file and deploy it as part of your applications assets.

You can configure which lang file to use via the

i18n: {
    locale: 'en-US',
    location: "/path/to/lang/files"
}

Yes, I did that. Thank you.

      fbOptions: {
        i18n: {
          locale: 'en-US',
          location: '/path/to/formBuilder-languages/',
          extension: '.lang',
        },

jorgeuos avatar Sep 28 '22 09:09 jorgeuos