You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I tried to use solid-auth-client.bundle.js to add solid to an existing website that uses Content Security Policy and ran into the error: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: ...
Obviously the error can be avoided by setting unsafe-eval, but it would be great if this wasn't necessary.
It appears the error is due to Function constructor calls in solid-auth-client dependencies.
The ones I found are:
Thanks for digging into this! I recently did a big dependency update of the mashlib stack but didn't drill down into solid-auth-client. Sounds like I should have, so I made a note of it. I'll try to find time to look into this!
Presumably this issue can now be closed as no longer relevant given that solid-auth-client is now a legacy library and there are other more major security issues?
I tried to use
solid-auth-client.bundle.js
to add solid to an existing website that uses Content Security Policy and ran into the error:EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: ...
Obviously the error can be avoided by setting
unsafe-eval
, but it would be great if this wasn't necessary.It appears the error is due to
Function
constructor calls in solid-auth-client dependencies.The ones I found are:
@trust/json-document
, which it appears is a dependency of@solid/oidc-rp
both directly and indirectly via@solid/jose
.https://github.com/anvilresearch/json-document/blob/c2be5e377ebfda753ec9753d5107557617e08b64/src/Validator.js#L64
https://github.com/anvilresearch/json-document/blob/c2be5e377ebfda753ec9753d5107557617e08b64/src/Initializer.js#L34
In the webpack build of browser/index.js:
It appears this is a webpack configuration issue somewhere, requiring a
node:false
setting?https://stackoverflow.com/questions/48695579/how-to-remove-eval-and-function-constructor-from-webpack-build-to-avoid-csp-issu
Fixing this is a bit out of my depth but I thought I'd share what I discovered so far...
The text was updated successfully, but these errors were encountered: