Open egloff opened 1 year ago
I like the suggestion about documenting required CSP policies. It's odd that eval is being used though, I wonder if some dependency is dragging that in?
I may have found something:
Line 92 and 109 are both imports of the Library Microsoft Dynamic Proto Utility, 1.1.4, which itself uses the external JavaScript Library Sinon.JS at version 1.17.2 which indeed uses eval
for some purpose.
This version is rather old (2015?!?):
In the current version you can find the following comment:
// Do not change this to use an eval. Projects that depend on sinon block the use of eval.
// ref: https://github.com/sinonjs/sinon/issues/710
It references a ticket which was fixed at the end of 2015...
The current version of Microsoft Dynamic Proto Utility (1.1.7) still uses version 1.17.2 of Sinon.JS, so maybe they need to update their dependencies or this library should not be used by the Azure Communication Services API?
Or I may be wrong and the eval
comes from somewhere else, because sinon-1.17.2.js
is located in the folder DynamicProto-JS-1.1.4.tar.gz:/rollup/test/External/
and therefore may only be used for testing?
@egloff you are right. it comes from https://github.com/microsoft/DynamicProto-JS/blob/master/rollup/test/External/sinon-1.17.2.js
you may want to log an issue there instead?
Sorry, I am a little bit confused.
We are currently upgrading @azure/communication-calling
to version 1.10.1 to allow the usage of Firefox for our product.
Now we have still an 'unsafe-eval' policy violation, but in another library:
Line 116 which points to Cloud.ts:
As you can see, the Microsoft Dynamic Proto libraries are still there, in the same versions, but the error is reported on the Cloud.ts library.
That results in two more questions:
There is a new Version of Microsoft Dynamic Proto (https://www.npmjs.com/package/@microsoft/dynamicproto-js/v/1.1.8) available which does not include the suspected Sinon.JS version anymore. You may want to bump the version from 1.1.4 (and 1.1.7?) to 1.1.8.
But as you can see in my previous comment, the problem may persist as in the version 1.10.1 the csp error results from the Cloud.ts dependency and not Microsoft Dynamic Proto. Could you have a look at this, I don't see where Cloud.ts is coming from nor where it is hosted.. Any help would be appreciated :)
@akania @fizampou please take a look.
@egloff can you please give it a try with https://www.npmjs.com/package/@azure/communication-calling/v/1.13.0-alpha.20230324.4 - recently couple of dependencies mentioned before was updated - meantime we'll continue checking occurrence in Cloud.ts and come back with findings asap
Hey @akania
Thanks for reaching out to me, I checked out the new version, unfortunately I still get the described CSP error in the area of Cloud.ts:
Btw: as you can see, there is the new version of Microsoft Dynamic Proto (1.1.8), but right after it follows the version 1.1.7 of the same library.. I don't know if that is on purpose or not, but it does not seem to trigger the CSP error.
Also required to use unsafe-eval when using the video effect feature BackgroundBlurEffects
from @azure/communications-calling(-effects) package.
The stacktrace mentions WASM, but wasm-unsafe-eval
doesn't work compared to unsafe-eval
.
Content-Security-Policy: "default-src 'self' 'unsafe-inline' https: data: wss: https://fonts.googleapis.com https://fonts.gstatic.com; worker-src 'self' blob:"
Package Name: @azure/communication-calling Package Version: 1.24.3 Operating system: Windows 11 Pro 22631.3593 Web browser: Chrome 125.0.6422.112
The issue still exists in version 1.26.2. Can someone take a look at this? It's very annoying that we keep getting CSP errors for policies that aren't actually needed.
Describe the bug Basically this is a 'reopen' of the following bug: https://github.com/Azure/Communication/issues/384 The communication-calling library still requires allowing
script-src: unsafe-eval
for a CSP policy. Further it would be nice, when all required CSP policies are documented somewhere and we don't need to try-and-error during development.Expected behavior The library (and any dependencies of it) should not require 'unsafe-eval'.
Additional context Exact error message is: