Closed mbuttu closed 1 year ago
Thanks for raising this. Looking into it now - looks like emscripten is generating some new Function()
s.
Looks like you should be able to get this to work with a more reasonable CSP by setting DYNAMIC_EXECUTION
to 0 when compiling the library. Will test this weekend but please feel free to test this if you get a moment.
Just pushed v2.0.4 to NPM - this update prevents new Function()
and eval()
calls from being created during emscripten compilation. Now, the most secure CSP you can use w.r.t. this library is default-src ‘wasm-unsafe-eval’ ; connect-src data:
.
You can take this a step further by using v1.4.3, which will drop SINGLE_FILE during compilation. Then, your CSP can look like default-src 'wasm-unsafe-eval'
. Makes it more of a pain to manage the .wasm file tho.
Hope this provides some good info and you're able to find a good solution!
Summary
Hello, thank you for the library. Is there a specific reason the library needs to use
new Function
oreval
? This ends up requiring unsafe-eval to be listed in the CSP policy. Is there a way around that?Thank you!