peggy
peggy copied to clipboard
'unsafe-eval' causes security issues
Google Chrome Extension Manifest V3 does not allow unsafe-eval any more, which currently prevents using peggy.
The problematic line reported is https://github.com/peggyjs/peggy/blob/244029be7d8a693ef0b1dd90fc4c14ace2bba4ea/lib/compiler/index.js#L113 (not sure if there are other places like that).
Writing down my notes here as I research this. If anyone has a path forward to recommend, or is willing to send a PR, we can prioritize the work to get it released. In the meantime, you'll have to watch me struggle. :)
In your use cases, can you pre-compile the grammar? The output of generate
doesn't have an eval in it.
If not, we'll have to get a little creative. References:
I was able to recreate this by adding:
<meta http-equiv="Content-Security-Policy" content="script-src https://unpkg.com/ 'self' 'unsafe-inline'">
into the header of docs/online.html
.
It looks like the presence of an eval
statement isn't an issue, which means we don't need a special build.
A Sandbox is probably the correct way to go about this. Maybe we could create a generic sandbox, pass the grammar to it as a string with an identifier, have the sandbox generate and eval the result, then allow calling the parse
function by identifier. You'd be limited in the types that you could return to things that would survive postMessage
.
Actually, in my case, pre-compiling the grammar solved the issue!
Thanks for your swift and effective help, @hildjj!!! I leave to your consideration if the ticket should be closed now.
I want to leave the ticket open, since it's an interesting problem. We'll just move it's priority down since you're up and running.
BTW, this only shows this feature should have never been there. I'd remove that option in a major version.
If user of the library wants to evaluate it immediately, it's no problem to run with source
output and do an eval
. It's only 6 more characters to type.
After having thought about this more, I'm going to close this as not-planned. Anyone who is using Peggy in a secure environment should pre-compile their grammars.