aolsenjazz
commented
1 year ago Thanks for raising this. Looking into it now - looks like emscripten is generating some new Function()s.
Closed mbuttu closed 1 year ago
aolsenjazz
commented
1 year ago Thanks for raising this. Looking into it now - looks like emscripten is generating some new Function()s.
aolsenjazz
commented
1 year ago Looks like you should be able to get this to work with a more reasonable CSP by setting DYNAMIC_EXECUTION to 0 when compiling the library. Will test this weekend but please feel free to test this if you get a moment.
aolsenjazz
commented
1 year ago Just pushed v2.0.4 to NPM - this update prevents new Function() and eval() calls from being created during emscripten compilation. Now, the most secure CSP you can use w.r.t. this library is default-src ‘wasm-unsafe-eval’ ; connect-src data:.
You can take this a step further by using v1.4.3, which will drop SINGLE_FILE during compilation. Then, your CSP can look like default-src 'wasm-unsafe-eval'. Makes it more of a pain to manage the .wasm file tho.
Hope this provides some good info and you're able to find a good solution!
Summary
Hello, thank you for the library. Is there a specific reason the library needs to use
new Functionoreval? This ends up requiring unsafe-eval to be listed in the CSP policy. Is there a way around that?Thank you!