Keillion
commented
2 years ago We do need to call some js function from wasm, so eval is necessary. The behavior is limited in worker, does not affect document.
So I hope one day this line can finally work: worker-src 'unsafe-eval'. Then the eval is only allowed in worker.
Currently, min CSP work in React + wasm in CDN + license host by dynamsoft:
child-src blob:;
worker-src blob:;
connect-src https://cdn.xxx https://mlts.dynamsoft.com https://slts.dynamsoft.com;
script-src https://cdn.xxx 'unsafe-eval';
img-src data: blob:;
media-src data:;min CSP work in helloworld.html:
child-src blob:;
worker-src blob:;
connect-src https://cdn.jsdelivr.net/npm/dynamsoft-javascript-barcode@8.6.3/ https://mlts.dynamsoft.com https://slts.dynamsoft.com;
script-src https://cdn.jsdelivr.net/npm/dynamsoft-javascript-barcode@8.6.3/ 'unsafe-inline' 'unsafe-eval';
style-src 'unsafe-inline';
img-src data: blob:;
media-src data:;We are researching to split worker and dom in different scopes, so CSP control can be more specific.
bbakerati
I am using
dynamsoft-barcode-reader @8.6.3in a web application built with React. We recently had a security audit of the application that recommended adding a stricter Content Security Policy. Due to the use of theevalfunction in thewasm.jsfile, we are unable to removeunsafe-evalfrom our content security policy, which the audit recommends.Do you have a way to avoid using the
wasm.jsscript altogether, or do you have future plans to remove the use ofevalin these JavaScript files?Here is the line where the import failure occurs when
unsafe-evalis not part of the Content Security Policy:https://github.com/Dynamsoft/javascript-barcode/blob/3f4fc90c722d324b4aa453c13d7e60bb12a25eed/dist/dbr-8.6.3.worker.js#L25
3 uses of
evalindbr-8.6.3.wasm.js: https://github.com/Dynamsoft/javascript-barcode/blob/3f4fc90c722d324b4aa453c13d7e60bb12a25eed/dist/dbr-8.6.3.wasm.js#L78 https://github.com/Dynamsoft/javascript-barcode/blob/3f4fc90c722d324b4aa453c13d7e60bb12a25eed/dist/dbr-8.6.3.wasm.js#L120