Must use 'unsafe-eval' for CSP policy when using JS SDK

Azure / azure-sdk-for-js

This repository is for active development of the Azure SDK for JavaScript (NodeJS & Browser). For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/javascript/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-js.

MIT License

2.03k stars 1.19k forks source link

Must use 'unsafe-eval' for CSP policy when using JS SDK #24903

Open egloff opened 1 year ago

egloff commented 1 year ago

Package Name: @azure/communication-calling
Package Version: 1.6.3
Operating system: Ubuntu Linux 22.10
browser: Chrome 109.0.5414.119

Describe the bug Basically this is a 'reopen' of the following bug: https://github.com/Azure/Communication/issues/384 The communication-calling library still requires allowing script-src: unsafe-eval for a CSP policy. Further it would be nice, when all required CSP policies are documented somewhere and we don't need to try-and-error during development.

Expected behavior The library (and any dependencies of it) should not require 'unsafe-eval'.

Additional context Exact error message is:

Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”). [sdk.bundle.js:92:172540](https://partner.bsi-software.com/nightly/bsicrm_23_1/@azure/communication-calling/dist/sdk.bundle.js)
Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”). [sdk.bundle.js:109:588840](https://partner.bsi-software.com/nightly/bsicrm_23_1/@azure/communication-calling/dist/sdk.bundle.js)

xirzec commented 1 year ago

I like the suggestion about documenting required CSP policies. It's odd that eval is being used though, I wonder if some dependency is dragging that in?

egloff commented 1 year ago

I may have found something:

Line 92 and 109 are both imports of the Library Microsoft Dynamic Proto Utility, 1.1.4, which itself uses the external JavaScript Library Sinon.JS at version 1.17.2 which indeed uses eval for some purpose.

This version is rather old (2015?!?):

In the current version you can find the following comment:

    // Do not change this to use an eval. Projects that depend on sinon block the use of eval.
    // ref: https://github.com/sinonjs/sinon/issues/710

It references a ticket which was fixed at the end of 2015...

The current version of Microsoft Dynamic Proto Utility (1.1.7) still uses version 1.17.2 of Sinon.JS, so maybe they need to update their dependencies or this library should not be used by the Azure Communication Services API?

Or I may be wrong and the eval comes from somewhere else, because sinon-1.17.2.js is located in the folder DynamicProto-JS-1.1.4.tar.gz:/rollup/test/External/ and therefore may only be used for testing?

jeremymeng commented 1 year ago

@egloff you are right. it comes from https://github.com/microsoft/DynamicProto-JS/blob/master/rollup/test/External/sinon-1.17.2.js

you may want to log an issue there instead?

egloff commented 1 year ago

Sorry, I am a little bit confused.

We are currently upgrading @azure/communication-calling to version 1.10.1 to allow the usage of Firefox for our product. Now we have still an 'unsafe-eval' policy violation, but in another library:

Line 116 which points to Cloud.ts:

As you can see, the Microsoft Dynamic Proto libraries are still there, in the same versions, but the error is reported on the Cloud.ts library.

That results in two more questions:

Do you know what changed between the two versions (1.6.3 and 1.10.1) considering to the usage of Microsoft Dynamic Proto?
Where is Cloud.ts coming from and may it be fixed?

egloff commented 1 year ago

There is a new Version of Microsoft Dynamic Proto (https://www.npmjs.com/package/@microsoft/dynamicproto-js/v/1.1.8) available which does not include the suspected Sinon.JS version anymore. You may want to bump the version from 1.1.4 (and 1.1.7?) to 1.1.8.

But as you can see in my previous comment, the problem may persist as in the version 1.10.1 the csp error results from the Cloud.ts dependency and not Microsoft Dynamic Proto. Could you have a look at this, I don't see where Cloud.ts is coming from nor where it is hosted.. Any help would be appreciated :)

jeremymeng commented 1 year ago

@akania @fizampou please take a look.

akania commented 1 year ago

@egloff can you please give it a try with https://www.npmjs.com/package/@azure/communication-calling/v/1.13.0-alpha.20230324.4 - recently couple of dependencies mentioned before was updated - meantime we'll continue checking occurrence in Cloud.ts and come back with findings asap

egloff commented 1 year ago

Hey @akania

Thanks for reaching out to me, I checked out the new version, unfortunately I still get the described CSP error in the area of Cloud.ts:

Btw: as you can see, there is the new version of Microsoft Dynamic Proto (1.1.8), but right after it follows the version 1.1.7 of the same library.. I don't know if that is on purpose or not, but it does not seem to trigger the CSP error.

oddRaven commented 3 months ago

Also required to use unsafe-eval when using the video effect feature BackgroundBlurEffects from @azure/communications-calling(-effects) package.

The stacktrace mentions WASM, but wasm-unsafe-eval doesn't work compared to unsafe-eval.

Content-Security-Policy: "default-src 'self' 'unsafe-inline' https: data: wss: https://fonts.googleapis.com https://fonts.gstatic.com; worker-src 'self' blob:"

Package Name: @azure/communication-calling Package Version: 1.24.3 Operating system: Windows 11 Pro 22631.3593 Web browser: Chrome 125.0.6422.112