avsc icon indicating copy to clipboard operation
avsc copied to clipboard
verified publisher icon mtth

Support strict CSP enabled environments

Open ajainarayanan opened this issue 7 years ago • 3 comments

Feature request The library has the usage of new Function(...), for instance (https://github.com/mtth/avsc/blob/master/lib/types.js#L2172), which is considered harmful in environments where CSP policy is enabled with no unsafe-eval.

Are there any plans of providing a fallback for such environments?

ajainarayanan avatar Feb 11 '19 18:02 ajainarayanan

There are no plans to do so but this sounds like a reasonable idea: I would be happy to review a PR which isolates code-generation and provides an alternate--optional--implementation.

(These Function calls are at the heart of code-generation for decoding and encoding: performance would drastically suffer without.)

mtth avatar Feb 16 '19 15:02 mtth

@mtth Thanks for the response. I have rough implementation of converting the usage of new Function for types. But unfortunately it is breaking 6 unit tests. I am trying to figure out how to fix them.

Will send out a PR sometime but might need some help on implementing a flag to switch new Function usage to regular function(did I understand this correct?) and unit tests.

ajainarayanan avatar Feb 20 '19 01:02 ajainarayanan

Sounds good, thank you for working on it! Feel free to send a PR even before fixing all the tests if you want early feedback.

mtth avatar Feb 20 '19 04:02 mtth