arquero icon indicating copy to clipboard operation
arquero copied to clipboard
verified publisher icon uwdata

Support Basic non-Strict Content-Security Policy (CSP)

Open rajsite opened this issue 1 year ago • 2 comments

If I configure a page using the OWASP recommended Basic non-Strict CSP Policy, i.e. for example by adding the following <meta> tag:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-ancestors 'self'; form-action 'self';">

I get an error similar to the following in Chrome due to eval / Function constructor usage:

    Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self'".

    at Function (<anonymous>)
    at compile (arquero.js?v=01b19c5c:2969:10)
    at expr (arquero.js?v=01b19c5c:2973:27)
    at Object.value (arquero.js?v=01b19c5c:8802:66)
    at parse_default (arquero.js?v=01b19c5c:8817:9)
    at derive (arquero.js?v=01b19c5c:9955:30)
    at ColumnTable.derive (arquero.js?v=01b19c5c:23547:12)
    at main.ts:12:4

It would be great to be able to use arquero without requiring unsafe-eval (even if it's a teeny bit slower 🐢). Example stackblitz.

rajsite avatar Aug 07 '24 22:08 rajsite

Has anyone got arquero inclusion without unsafe-eval? I am using it in an Angular(v20) application with csp: true setting on.

Getting the following error, for your reference

EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'strict-dynamic' 'sha256-JXRymgJZZN9071U2kgO0fFgkBmiWJc04=' 'sha256-t0UhySan8BJ5fl1xTreG2V9rEwO3A=' https: 'unsafe-inline'".

at Function (<anonymous>)
at Kt ([email protected]:1:24860)
at expr ([email protected]:1:24932)
at Object.value ([email protected]:1:159040)
at Lr ([email protected]:1:159251)
at ze.__filter ([email protected]:1:191871)
at ze.filter ([email protected]:1:668)
at Object.next (main-5O5A2C6O.js:253605:79)
at source3.subscribe.isUnsub (main-5O5A2C6O.js:15519:74)
at OperatorSubscriber._next (main-5O5A2C6O.js:13337:9)

Thanks, Vishwa

kinekarvishwanath avatar Oct 21 '25 08:10 kinekarvishwanath

Arquero makes deep use of the Function constructor to compile code on the fly. Making the changes necessary to pass CSP would be a significant undertaking and unfortunately not something I have time to work on. If someone is interested in working on this, I'd be happy to help guide -- but it would require touching a lot of the guts of the library.

jheer avatar Oct 21 '25 16:10 jheer