If CSP forbids eval and new Function (and <script> injection) for safety, then code transpiled into JSF does no more work. As JSF transpiles the code into a string which must be evaluated.
I think this is a big flaw. Also I consider the use of eval to be cheating, as this way JSF just only does a string conversion and leaves the real dirty part to eval.
Is there a (known) subset (or variant/mode) which would make it able to transpile things into code, which does not need to be evaled? Is this even possible? Of course I think the character set must be slightly extended (like allow of = or some idiomatic function ($){ with a closing }, only used for direct function definition which is allowed under such CSP).
Sorry if this is a FAQ, but I tried myself a few hours and failed even with try to Google for something like that. Am I really the first one to ask?
If CSP forbids
evalandnew Function(and<script>injection) for safety, then code transpiled into JSF does no more work. As JSF transpiles the code into a string which must be evaluated.Is there a (known) subset (or variant/mode) which would make it able to transpile things into code, which does not need to be
evaled? Is this even possible? Of course I think the character set must be slightly extended (like allow of=or some idiomaticfunction ($){with a closing}, only used for direct function definition which is allowed under such CSP).