search

CesiumGS / cesium

An open-source JavaScript library for world-class 3D globes and maps :earth_americas:
https://cesium.com/cesiumjs/
Apache License 2.0
13.03k stars 3.51k forks source link

Replace use of eval() #9024

Closed moxizhou closed 1 year ago

moxizhou commented 4 years ago

We are using CSP headers and ran into an issue using this library because of the use of unsafe eval.

https://github.com/CesiumGS/cesium/blob/2fd0e8f7e4212bd1e7084299187f70597a6bbfd8/Source/Workers/cesiumWorkerBootstrapper.js#L2285

I am wondering if there is an alternative for this?

shunter commented 4 years ago

This is in third-party code (requirejs) but after a quick look at the code, I'm pretty sure this code is never used in Cesium, so you could try commenting it out or removing it.

moxizhou commented 4 years ago

When I ran cesium, it did go through the line mentioned above, but this was a while ago. I did not know this was third-party code though, so there is no way to remove it on cesium end?

OmarShehata commented 4 years ago

I don't think this is something we plan on changing at the moment, this is just part of how RequireJS works.

I would recommend adding an exception to allow this use eval when running CesiumJS.

candrews commented 3 years ago

Is it possible that use of eval will be eliminated by https://github.com/CesiumGS/cesium/issues/9473 ?

mramato commented 3 years ago

@candrews Not as a side effect. The main problem here is that (at least last time I looked) Web Workers do not support loading ES6 modules directly and you need to use an old school browser module system (like amd/requirejs) which is why this code exists. However it's probably worth looking into if that has a better alternative now. I'll add a note to the linked issue for us to take a look. Thanks for the reminder!

alexfrigault commented 2 years ago

Has there been any update on this issue? We are trying to use Cesium in our application but we are required to not include 'unsafe-eval' in our CSP. Simply having Cesium load in through webpack runs into this issue.

ggetz commented 2 years ago

@alexfrigault No updates yet. We are potentially taking a look at eliminating requireJS and therefore eval as a part of some modernization efforts in the near future.

superFelix5000 commented 2 years ago

@ggetz any updates on this one? :)

ggetz commented 2 years ago

@pixelschubs Not yet. I would recommend keeping an eye on https://github.com/CesiumGS/cesium/issues/9473. We'll post any updates there.

boeckMt commented 1 year ago

@ggetz are there any updates on this Issue? Issue https://github.com/CesiumGS/cesium/issues/9473 is closed and I don't found any helpful things there.

I'm using the packages "@cesium/engine": "^2.2.0" and "@cesium/widgets": "^2.1.1"

ggetz commented 1 year ago

Hi, the most recent blocker for replacing requireJS in our packaged web workers was that Firefox did not support ESM modules in workers. The good news is that issue was recently marked as resolved!

I'll re-open this issue to track updating our build system to remove RequireJS.