search

brownhci / WebGazer

WebGazer.js: Scalable Webcam EyeTracking Using User Interactions
https://webgazer.cs.brown.edu
Other
3.54k stars 536 forks source link

request to move off numeric #211

Closed djkramnik closed 1 year ago

djkramnik commented 3 years ago

the numeric library has some eval of raw strings for reasons I don't understand. This causes chrome to prevent extensions from running the tensorflow.js file due to this error: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'". Is it possible to either migrate off numeric or fork it and remove the evals? Would you support this idea

xanderkoo commented 3 years ago

Hmm, how did you get this error? I don't think we've ever encountered this issue before. Could you share more context? Migrating off numeric would mean reconfiguring the entire regression calculation which is a huge undertaking -- I attempted to migrate to tensor-based calculations last year but didn't get very far. I think one of the bottlenecks was a lack of an LUSolve function in tfjs at the time.

Skylion007 commented 3 years ago

Yeah, we used to use numeric because there weren't any other JS Linalg libraries at the time. We can definitely move off it, it will just take some time.

djkramnik commented 3 years ago

Hmm, how did you get this error? I don't think we've ever encountered this issue before. Could you share more context? Migrating off numeric would mean reconfiguring the entire regression calculation which is a huge undertaking -- I attempted to migrate to tensor-based calculations last year but didn't get very far. I think one of the bottlenecks was a lack of an LUSolve function in tfjs at the time.

You can run into this when trying to run the webgazer.js script in the context of a webpage as part of a chrome or firefox extension. There are parts of numeric where it evaluates strings as code,

i.e. https://github.com/sloisel/numeric/blob/656fa1254be540f428710738ca9c1539625777f1/src/numeric.js#L331

^under the default security policy of these extensions, webgazer.js cannot be run due to these unsafe evals in numeric. You would get an error like this: 

EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed
source of script in the following Content Security Policy directive

There are workarounds but they are not ideal and may prevent distribution of the extensions i.e:

  1. Note: Valid examples display the correct use of keys in CSP. However, extensions with 'unsafe-eval', 'unsafe-inline', remote script, blob, or remote sources in their CSP are not allowed for extensions listed on addons.mozilla.org due to major security issues.

from this documentation: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy

Anyway, I wanted to gauge your openness to using a trimmed down or altered version of numeric to avoid this issue. If so I may work on a PR for this.

Skylion007 commented 3 years ago

Yeah, we would definitely like to move off of it for code cleanliness and performance reasons. Numeric isn't maintained anyway. PR welcome.

jeffhuang commented 1 year ago

Commited in ae20073