Closed bbakerati closed 2 years ago
We do need to call some js function from wasm, so eval
is necessary. The behavior is limited in worker
, does not affect document
.
So I hope one day this line can finally work: worker-src 'unsafe-eval'
. Then the eval
is only allowed in worker.
Currently, min CSP work in React + wasm in CDN + license host by dynamsoft:
child-src blob:;
worker-src blob:;
connect-src https://cdn.xxx https://mlts.dynamsoft.com https://slts.dynamsoft.com;
script-src https://cdn.xxx 'unsafe-eval';
img-src data: blob:;
media-src data:;
min CSP work in helloworld.html:
child-src blob:;
worker-src blob:;
connect-src https://cdn.jsdelivr.net/npm/dynamsoft-javascript-barcode@8.6.3/ https://mlts.dynamsoft.com https://slts.dynamsoft.com;
script-src https://cdn.jsdelivr.net/npm/dynamsoft-javascript-barcode@8.6.3/ 'unsafe-inline' 'unsafe-eval';
style-src 'unsafe-inline';
img-src data: blob:;
media-src data:;
We are researching to split worker and dom in different scopes, so CSP control can be more specific.
OK that makes sense to me. Thanks for clarifying. We will work to apply the min CSP recommended above, and appreciate your help.
I am using
dynamsoft-barcode-reader @8.6.3
in a web application built with React. We recently had a security audit of the application that recommended adding a stricter Content Security Policy. Due to the use of theeval
function in thewasm.js
file, we are unable to removeunsafe-eval
from our content security policy, which the audit recommends.Do you have a way to avoid using the
wasm.js
script altogether, or do you have future plans to remove the use ofeval
in these JavaScript files?Here is the line where the import failure occurs when
unsafe-eval
is not part of the Content Security Policy:https://github.com/Dynamsoft/javascript-barcode/blob/3f4fc90c722d324b4aa453c13d7e60bb12a25eed/dist/dbr-8.6.3.worker.js#L25
3 uses of
eval
indbr-8.6.3.wasm.js
: https://github.com/Dynamsoft/javascript-barcode/blob/3f4fc90c722d324b4aa453c13d7e60bb12a25eed/dist/dbr-8.6.3.wasm.js#L78 https://github.com/Dynamsoft/javascript-barcode/blob/3f4fc90c722d324b4aa453c13d7e60bb12a25eed/dist/dbr-8.6.3.wasm.js#L120