CSP violation if 'unsafe-eval' not allowed

contentful / contentful.js

JavaScript library for Contentful's Delivery API (node & browser)

https://contentful.github.io/contentful.js

MIT License

1.18k stars 197 forks source link

CSP violation if 'unsafe-eval' not allowed #2214

Open dndrsn opened 4 months ago

dndrsn commented 4 months ago

Expected Behavior

JavaScript eval not to be required.

Actual Behavior

CSP violation error if CSP is not set to allow unsafe-eval. This issue was introduced in version 10.9.0. Version 10.8.10 works as expected without any issue.

Possible Solution

Remove/refactor change introduced in version 10.9.0 which uses eval.

Steps to Reproduce

Create webpage with any CSP that does not allow unsafe-eval. Load page in browser.

This same issue occurred previously -- https://github.com/contentful/contentful.js/issues/1881

bmerigan commented 4 months ago

Yep, we are rolling back the version we use due to this.

josephm0017 commented 3 months ago

We're also facing the same issue and it's severely impacting us.

Are there any updates?
Will it be resolved soon?

Can you please advise.

bmerigan commented 3 months ago

Tagging @veu to ensure developers are aware of this, not to be pushy but because there's no indication that this is known.
We're locked at 10.8.10 until this is resolved.

axe312ger commented 2 months ago

Our restructuring of the project and bundling will fix this. It will remove the eval which triggers the warning. An alpha version to test is coming soon!

Follow progress of the (massive) PR here: #2169

mgoudy91 commented 1 month ago

If interested, we have an alpha release available as we prep for a full release.

https://www.npmjs.com/package/contentful/v/11.0.0-next.1 if you're interested in checking it out

attalbialami commented 2 weeks ago

@mgoudy91 Do you have any idea about the full release date ?

tplante commented 1 week ago

@mgoudy91 any news on v11 full release date? We're between a rock and a hard place because v10.8 uses an insecure version of axios, and 10.9+ carries this CSP issue.

mgoudy91 commented 1 week ago

Hey @attalbialami and @tplante appreciate your patience and sorry for the delay. We're working on getting the full release out this week, I'll keep you updated in this channel when that's available

mgoudy91 commented 6 days ago

Quick update, we're investigating an issue and will likely not have the update out this week, and think early next might be more accurate. This remains a high priority for us and will continue to update here.

tplante commented 1 hour ago

@mgoudy91 what is the latest with the release?