Use of `eval` violates Content Security Policy in browsers

[ekilah]

Hi,

I'm posting this issue as an indirect user of the product of your library, so sorry for any misunderstandings about how things work on my end.

Long story short, eval is a somewhat contentious function in browser-land, and often a Content Security Policy for a website will prevent its use to avoid accidentally leaving any attack vectors open for running user-generated code.

I was looking to use React PDF, a popular library to render a PDF in a React app, which uses several dependencies to accomplish that task. One of its dependencies is Yoga, a cross-platform rendering engine that uses this project.

Ok, so that's how I got here. The issue with react-pdf is summarized well in my issue there: https://github.com/diegomura/react-pdf/issues/510 . The owner of that repo suggested at least trying to start a conversation here.

I'm making this issue here to ask if it's at all possible for this project to not use eval. I ask that with some hesitation, because I have a feeling it's fairly core to the functionality here, but it is worth asking. I know that this project is fairly far away from browser interaction in terms of intended scope, and on top of that it is working to bridge C++ and JS, so the answer may very likely be "no," but here I am 😄

[AgarwalShyam]

Hi Team,

We have also used the same @react-pdf/renderer package but getting the CSP issue in the chrome browser, is anybody has any update on this or any workaround?

Thanks & Regards, Shyam Agarwal

[sezny]

Any updates ?

[MatanYemini]

Any updates on this?

[seanquinn]

Also curious on this?

[jepek]

Would be great to fix this.

[Haraldson]

I think this issue at least deserves a response from the maintainers? Even if it’s a ‘no, we‘re not gonna spend time looking into that’?

[w90]

Would be great to fix this, +1