Library causes CSP issue (no error)

[Gerrit-K]

We recently implemented CSPs in our app (which transitively uses oidc-client) and found that Chrome reports an issue that we currently don't know how to get rid of. With non-optimized builds and breakpoints we tracked its origin down to oidc-client, although its real origin seems to be webpack code. We still hope that someone could shed some light on this and maybe provide a workaround.

The CSP warning from Chrome is this:

The offending code is this snippet from oidc-client.js:

It's clear that this isn't a real issue, as the code only attempts to execute that function and (if in strict mode) catches the error and executes a workaround instead. However the attempt still pops up in Chrome as a warning, so we wonder:

1. Is this avoidable in any way?
2. Are we doing something wrong?
3. Is the webpack code there on purpose? (asking because a quick google search yields reports of accidental node_module imports. I don't expect them here, just wanted to ask)

Thanks!

[brockallen]

No idea, sorry. I'd ask in the webpack repo?

[Gerrit-K]

@brockallen Thanks for the hint. Searching through the webpack issues yielded two results that look pretty related:

• #5627
• #6461

Unfortunately none of the workarounds described there seem to work in our case. Now, I'm not that experienced with node (let alone webpack), but my intuition tells me that they wouldn't work anyway, as oidc-client is already bundled with this global.js code, so webpack has no other choice than importing that. Is this true or am I misunderstanding something?

[brockallen]

I'm also not a webpack expert (I had a colleague help me with that part of this library and others have helped with PRs over time).

[brockallen]

BTW I do test CSP in the VanillaJS sample without unsafe eval and it's working.