msgpackr
msgpackr copied to clipboard
kriszyp
Problems with CSP
There is a code in the library
try {
new Function('')
} catch(error) {
// if eval variants are not supported, do not create inline object readers ever
inlineObjectReadThreshold = Infinity
}
It causes problems when using Trustedtypes on the site
{
"csp-report":{
"document-uri":"https://site/",
"referrer":"",
"violated-directive":"script-src",
"effective-directive":"script-src",
"original-policy":"default-src 'none'; child-src 'self'; connect-src 'self'; upgrade-insecure-requests; script-src 'self' 'strict-dynamic' ...sha256 hashes... 'report-sample'; require-trusted-types-for 'script'; trusted-types webpack-tt default; form-action 'self'; base-uri 'none'; manifest-src 'self'; object-src 'none'; report-uri csp-report; frame-ancestors 'none'; img-src 'self' data: ; style-src 'self' 'unsafe-inline' 'report-sample'; worker-src 'self';",
"disposition":"enforce",
"blocked-uri":"eval",
"line-number":2,
"column-number":9822,
"source-file":"https://site/c1091830662e60c6d816.js",
"status-code":200,
"script-sample":"(function anonymous(\n) {\n\n})"
}
}
In addition to the fact that the code generates an error, it is also blocked
I have such a policy on the website
if (window.trustedTypes && window.trustedTypes.createPolicy) {
window.trustedTypes.createPolicy('default', {
createScriptURL: (urlStr: string) => {
if (typeof urlStr !== 'string') {
throw new TypeError('invalid URL');
}
const url = new URL(urlStr, window.location.origin);
if (url.origin !== window.location.origin) {
throw new TypeError('invalid URL');
}
return urlStr;
},
createScript: (string) => string,
});
}
But the code above still causes an CSP error
I started debugging the code and looked at the error in catch
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'strict-dynamic' 'sha512-hashes ...' 'report-sample'".
stack: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'strict-dynamic' 'sha512-hashes...' 'report-sample'".
at new Function (<anonymous>)
...
So you are getting an error thrown before the unpack.js module even starts running (so the try/catch won't catch this). I suppose maybe I could add something to the build script to generate an unpack-safe.js or unpack-noeval.js that strips out the new Function code. Do you think that would work?
If this code is no longer present in the library, it will definitely help
But the decision to split the code into 2 because of one line is not very optimal...
This should be addressed in v1.8.0, with a separate dist/build of msgpackr that does not use Function.
Thanks! how can this be implemented? is there a description in the documentation?
I'm sorry but I get error when try to import
import { Packr } from 'msgpackr/dist/index-no-eval';
webpack error:
[0] ERROR in ./src/client/index.ts 1:0-52
[0] Module not found: Error: Package path ./dist/index-no-eval is not exported from package /Users/project/node_modules/msgpackr (see exports field in /Users/projects/node_modules/msgpackr/package.json)
also Typescript types do not work with such an import
Sorry, I didn't realize you were loading these as modules. Are you wanting to load the entire msgpackr bundle as a module, or specifically the unpack module (without Function/eval)?
on the server I use only the unpack module and this is what I use CSP I need a module without eval
everything is ok with the import, but the types for this module are not available (