FakeRest icon indicating copy to clipboard operation
FakeRest copied to clipboard

Published 20 hours ago verified publisher icon marmelab

Minified version uses eval which forces to use a weak Content Security Policy (CSP)

Open dsebastien opened this issue 8 years ago • 6 comments

We've noticed that the minified build of FakeRest uses eval in some places, for example:

...Function("binder","return function ("+c.join(",")+"){ return binder.apply(this,arguments); }")(a);

The above fails if the Content Security Policy does not allow unsafe-eval for the script-src attribute. The error (in Chrome): EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self".

Allowing 'unsafe-eval' for scripts is considered very risky from a security point of view.

Could you create a distribution that does not rely on eval so that we can use FakeRest with a strong CSP?

dsebastien avatar Jul 26 '16 08:07 dsebastien

Good point, this seems to be webpack related. Requires investigation.

fzaninotto avatar Jul 27 '16 08:07 fzaninotto

Has the webpack configuration changed since you made the last release? I don't see any reference to the compression/uglification plugin (webpack does not create a .min.js file in dist anymore)

dsebastien avatar Jul 27 '16 14:07 dsebastien

No it hasn't, the problem was probably there from the start on.

fzaninotto avatar Jul 28 '16 07:07 fzaninotto

Hi @fzaninotto Any pointer on how we could solve this?

dsebastien avatar Sep 09 '16 14:09 dsebastien

We need a webpack hacker...

fzaninotto avatar Sep 09 '16 14:09 fzaninotto

There's no minification in place in the webpack config. I think the fix just consists in:

  • deleting the dist folder
  • running webpack

Publishing a new version :p

dsebastien avatar Sep 09 '16 18:09 dsebastien