Open onoufriosm opened 2 years ago
(My workaround for the moment is loading ketcher in an iframe but would be nice to use the React component directly)
Moved to 2.5 cc: @AllaZhbanova
@AndreiMazol @AllaZhbanova
My understanding is that if we introduce an option for ketcher-core/react package to compile the AVJ validation schemas at build time that will remove the unsafe-eval
dependency.
Is this something being actively worked on?
@martinuncountable Do you have any update on this. It is currently blocking my ability to use ketcher in my app, which is a bummer since ketcher is a very nice library
@martinuncountable Do you have any update on this. It is currently blocking my ability to use ketcher in my app, which is a bummer since ketcher is a very nice library
Yes we have forked Ketcher to use json-schema
instead. We are working on creating a PR here to merge upstream.
Steps to Reproduce Add a CSP (in your html entry file) that doesn't allow for "unsafe-eval"
Expected behavior Not throw a CSP error
Actual behavior Throws a CSP error
Additional context I've tracked this down to
ketcher-standalone/src/generate/libindigo.js
line 1230. Specificallynew Function
will cause this.Don't have enough context to make a change to this but essentially
new Function
should go away otherwise CSP won't let it run.