Unsafe-eval usage in Cosmograph causing CSP issues

[Gowthamarajan99]

Hi,

I'm currently facing an issue when trying to render the Cosmograph page in my project. The Content Security Policy (CSP) enforced by our Infosec team does not allow the use of unsafe-eval. As a result, I'm encountering the following error:

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src"

Since unsafe-eval is not recommended and will not be approved by our security team, I'm unable to proceed with using Cosmograph under the current CSP settings.

Request: Is there any workaround or alternative approach that avoids the use of unsafe-eval? If not, could you please address this issue in the next release.

thanks in advance

[rokotyan]

@Gowthamarajan99 Thanks for bringing this to our attention, we'll get back to you soon

[rokotyan]

@Gowthamarajan99 Can you please try version 1.4.1-beta.0 and tell us whether it worked or not?

https://www.npmjs.com/package/@cosmograph/cosmograph/v/1.4.1-beta.0

[Gowthamarajan99]

@rokotyan Thanks for your reply. I tried upgrading to version 1.4.1-beta.0 of the package, but I am still facing the same issue. Is there anything we can do regarding this package?

[Gowthamarajan99]

Hi @rokotyan. I wanted to follow up on this issue. I tried the suggested update, but it didn't work as expected. just wanted to check if there have been any updates for this unsafe-eval issue.

[rokotyan]

@Gowthamarajan99 Thanks for the reminder. It's on our to do list and definitely is an important item. I'll see if we can prioritize it, I'll keep you posted.

[Gowthamarajan99]

Thanks @rokotyan for the update. please let me know once it's fixed.

[rokotyan]

@Gowthamarajan99 We'll let you know. It's not a straightforward problem unfortunately, but we have some ideas.