Option to not use eval/Function for use in a CSP environment without unsafe-eval

davidmarkclements / fast-redact

very fast object redaction

MIT License

284 stars 30 forks source link

Option to not use eval/Function for use in a CSP environment without unsafe-eval #68

Closed segevfiner closed 8 months ago

segevfiner commented 8 months ago

Using fast-redact is currently not possible with a CSP without unsafe-eval in the browser, an option to not use eval/Function at the cost of worse performance will be helpful for such environments.

jsumners commented 8 months ago

Utilizing Function is core to the design of this module. You're going to want to use a different redator.

segevfiner commented 8 months ago

Any recommendations for something similar?

jsumners commented 8 months ago

I do not know of anything. Research would need to be done.

segevfiner commented 2 months ago

Hmmm. An idea, we can have an option to inject a script tag into the dom instead of using eval when in the browser. Which can be allowed under a CSP using a nonce that we will need to receive and include with the tag as well.