search

Donaldcwl / browser-image-compression

Image compression in web browser
MIT License
1.3k stars 160 forks source link

`eval` usage is not allowed when using a sensible CSP #106

Closed buesing closed 1 year ago

buesing commented 3 years ago

I recently added a content security policy to my site and now I'm seeing this error: nextZero EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' blob:".. It's because this library is using an eval call here: https://github.com/Donaldcwl/browser-image-compression/blob/0191a7ad0c7efaca13bb4545775974f3b3b862b7/lib/web-worker.js#L35 I'm wondering if this can be rewritten to use a different parsing strategy. Using eval is generally discouraged.

Donaldcwl commented 1 year ago

Removed use of eval in v2.0.1. Please read: https://github.com/Donaldcwl/browser-image-compression#remarks-on-content-security-policy-csp