Compatibility with Content Security Policy without 'unsafe-eval'?

[josephguillaume]

I tried to use solid-auth-client.bundle.js to add solid to an existing website that uses Content Security Policy and ran into the error: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: ...

Obviously the error can be avoided by setting unsafe-eval, but it would be great if this wasn't necessary.

It appears the error is due to Function constructor calls in solid-auth-client dependencies. The ones I found are:

@trust/json-document, which it appears is a dependency of @solid/oidc-rp both directly and indirectly via @solid/jose. https://github.com/anvilresearch/json-document/blob/c2be5e377ebfda753ec9753d5107557617e08b64/src/Validator.js#L64 https://github.com/anvilresearch/json-document/blob/c2be5e377ebfda753ec9753d5107557617e08b64/src/Initializer.js#L34

In the webpack build of browser/index.js:

        // This works if eval is allowed (see CSP)
        g = g || new Function("return this")();

It appears this is a webpack configuration issue somewhere, requiring a node:false setting? https://stackoverflow.com/questions/48695579/how-to-remove-eval-and-function-constructor-from-webpack-build-to-avoid-csp-issu

Fixing this is a bit out of my depth but I thought I'd share what I discovered so far...

[josephguillaume]

Just noticed the @trust/json-document errors should be addressed by PR https://github.com/solid/solid-auth-client/pull/150

[michielbdejong]

Thanks for digging into this! I recently did a big dependency update of the mashlib stack but didn't drill down into solid-auth-client. Sounds like I should have, so I made a note of it. I'll try to find time to look into this!

[josephguillaume]

Presumably this issue can now be closed as no longer relevant given that solid-auth-client is now a legacy library and there are other more major security issues?