CSP and the eval func

[weisgerberm]

Hi, First of all, thanks for the great extension. I am currently preparing everything for my site, but unfortunately you use an eval-function in the JS, which undermines the concept of a content security policy. As a workaround I have allowed "unsafe-eval", but you shouldn't actually do that, otherwise you can omit the CSP: new Mutation( MutationMode::Extend, Directive::ScriptSrc, SourceKeyword::unsafeEval, ),

I don't know exactly why you need this eval function in js, but is there any way to avoid it? https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval?retiredLocale=de#never_use_eval!

The code is from vendor/codingfreaks/cf-cookiemanager/Classes/Utility/JavaScriptObfuscator.php:131

Thank you :)

[eibiflo]

Hey @weisgerberm, thanks for the info and the great feedback.

Just to explain, the obfuscator is only used to obscure the Tracking.js so that Brave or ad blockers do not block the tracking, in order to obtain real first opt-in numbers.

I've incorporated this as a feature because it works really well. There's no reason to use it if you don't want the statistics to be 100% accurate, since some browsers block tracking.

Normally, nobody can misuse this function, as everything is static; however, I understand the concern.

I'm thinking of the option to making the use of the obfuscator toggleable on or off, what's your opinion on this?

[weisgerberm]

Hi @eibiflo

Thank you very much for the quick response and the explanation. As you suggested, I would be very happy to have a switch as option. Many thanks in advance

[eibiflo]

I've added a switch to toggle the obfuscator on or off. Hope this helps with the CSP concerns you mentioned. (publish in the next Release.)

Really appreciate your help in making the extension better. If you're happy with the extension, a GitHub star or a like in the TER would be awesome to help more folks find and use the extension.

Cheers!