search

Azure / azure-sdk-for-js

This repository is for active development of the Azure SDK for JavaScript (NodeJS & Browser). For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/javascript/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-js.
MIT License
2.03k stars 1.19k forks source link

BackgroundBlurEffect requires Content Security Policy 'unsafe-eval' #30492

Open Mrlten opened 1 month ago

Mrlten commented 1 month ago

Describe the bug; what happened? Enabling the BackgroundBlurEffect (from @azure/communication-calling-effects) requires you to have unsafe-eval added to the Content Security Policy header. Without it, the background blur can't start and videocalling will fail.

Having to enable unsafe-eval could become a security issue because it opens up a lot of options for hackers. Maybe not with the ACS packages but you never know with other packages developers use in their apps.

@azure/communication-calling-effects is still in beta but I hope you can remove the need for eval / new Function(...).

EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'sha256-8ZgGo/nOlaDknQkDUYiedLuFRSGJwIz6LAzsOrNxhmU='".

    at new Function (<anonymous>)
    at qA (305071ff-fca2-45ba-9844-361245b8d91e:1:943836)
    at KA (305071ff-fca2-45ba-9844-361245b8d91e:1:943975)
    at B (305071ff-fca2-45ba-9844-361245b8d91e:1:953531)
    at A.<anonymous> (305071ff-fca2-45ba-9844-361245b8d91e:1:988305)
    at 305071ff-fca2-45ba-9844-361245b8d91e:1:986811
    at Object.next (305071ff-fca2-45ba-9844-361245b8d91e:1:986916)
    at 305071ff-fca2-45ba-9844-361245b8d91e:1:985828
    at new Promise (<anonymous>)
    at C (305071ff-fca2-45ba-9844-361245b8d91e:1:985573)

What are the steps to reproduce the issue?

  1. Clone the repro I made: https://github.com/Mrlten/AcsBackgroundBlur
    • It has a minimal CSP configured for the repro
  2. Install the npm packages
  3. Open acsbackgroundblur.client/src/App.tsx and set the userId/token with valid data from your Azure Communication Service
  4. Start the app using npm run dev
  5. In the browser open the Dev Tools and select the Console tab
  6. In the call composite, enable the camera, click on the Effects button and select 'Blur'
  7. The CSP error will now appear in the Dev Tools console

What behavior did you expect? The ability to use BackgroundBlurEffect without the need for unsafe-eval in the Content Security Policy.

If applicable, provide screenshots: n/a

In what environment did you see the issue?

Is there any additional information? n/a

JamesBurnside commented 1 month ago

Thanks for filing this issue @Mrlten, and thank you for the minimal repro, we were able to reproduce the issue locally. I am moving this issue for better triaging to where the @azure/communication-calling lives.

Mrlten commented 1 month ago

@JamesBurnside thanks for moving it to the correct repository!