MSIE detection uses eval which is blocked by browser Content Security Policy

devote / HTML5-History-API

HTML5 History API expansion for browsers not supporting pushState, replaceState

http://spb-piksel.ru

MIT License

1.02k stars 182 forks source link

MSIE detection uses eval which is blocked by browser Content Security Policy #70

Closed simonrycroft closed 9 years ago

simonrycroft commented 9 years ago

Hi,

This line in history.js:

var msie = window['eval'] && eval("/_@ccon 1;@/");

causes a problem if the server sends a Content-Security-Policy header. JS execution is stopped and the console gives errors like this:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'

The use of eval is not permitted. More info here:

http://www.html5rocks.com/en/tutorials/security/content-security-policy/#eval-too

I've done a little tweaking and I believe this would work just as well, without the use of eval:

var msie = /*@cc_on 1!@*/false;

Thanks.

devote commented 9 years ago

Hi, thanks for comment

I've done a little tweaking and I believe this would work just as well, without the use of eval:

eval is needed for what would Google Closure Compiler did not delete this line when compiling

devote commented 9 years ago

There is a solution:

var msie = global['execScript'] && (global['execScript']('var documentMsie/*@cc_on =1@*/;', 'JavaScript'), global.documentMsie);

Please check this solution, Thank you!

simonrycroft commented 9 years ago

Hi,

Thank you! I'll check it as soon as I get into the office tomorrow.

Simon On 4 Nov 2014 18:07, "Dmitrii Pakhtinov" notifications@github.com wrote:

There is a solution:

var msie = global['execScript'] && (global['execScript']('var documentMsie/@cc_on =1@/;',), global.documentMsie);

Please check this solution, Thank you!

— Reply to this email directly or view it on GitHub https://github.com/devote/HTML5-History-API/issues/70#issuecomment-61686094 .

devote commented 9 years ago

Okay, waiting for tomorrow.

simonrycroft commented 9 years ago

Hi Dmitrii,

Unfortunately this causes an error in Chrome and possibly other browsers:

Uncaught ReferenceError: global is not defined

On 4 November 2014 18:17, Dmitrii Pakhtinov notifications@github.com wrote:

Okay, waiting for tomorrow.

— Reply to this email directly or view it on GitHub https://github.com/devote/HTML5-History-API/issues/70#issuecomment-61687610 .

devote commented 9 years ago

Very strange, I checked in chrome, no problems.

You simply change the line in 1136 ?

simonrycroft commented 9 years ago

Sorry my mistake. I didn't realise we had an out of date version of history.js. No errors now. Thank you!

On 5 November 2014 14:10, Dmitrii Pakhtinov notifications@github.com wrote:

Very strange, I checked in chrome, no problems.

You simply change the line in 1136 ?

— Reply to this email directly or view it on GitHub https://github.com/devote/HTML5-History-API/issues/70#issuecomment-61811683 .

devote commented 9 years ago

it's good

I add this solution to a release

simonrycroft commented 9 years ago

Great stuff. Thanks for your help.

On 5 November 2014 15:01, Dmitrii Pakhtinov notifications@github.com wrote:

it's good

I add this solution to a release

— Reply to this email directly or view it on GitHub https://github.com/devote/HTML5-History-API/issues/70#issuecomment-61819738 .