content security policy need to have unsafe-eval to render the generated event page from AWS event bridge

[wliew99]

Have you read the Contributing Guidelines on issues?

• [X] I have read the Contributing Guidelines on issues.

Description

Cannot render the generated events without granting unsafe-eval to the content security policy, which is very concerning as it opens up room for cross site scripting attack.

Steps to reproduce

content security policy on CloudFront distribution to serve s3 static files build from event catalog have default-src https: wss: 'self'; style-src https: 'unsafe-inline'

If i changed content security policy to default-src https: wss: 'unsafe-eval'; style-src https: 'unsafe-inline' then everything is fine.

When drilling down to our generated event details page (from plugin generation from EB), getting this on client side

F12 console gave this

Expected behavior

the generated event page to be rendered with default-src https: wss: 'self'; style-src https: 'unsafe-inline'

Actual behavior

got client side exception as it's looking for unsafe-eval to be part of CSP

Your environment

• EventCatalog version used: 1.2.5
• Plugin generator against EB: ^0.0.12
• Environment name and version (e.g. Edge for Business 123.0 and Chrome 123.0, Node.js 18.19.1):
• Operating system and version (e.g. Ubuntu 22.04 LTS):

[boyney123]

Thanks for raising this issue.


EventCatalog v2 is coming out very soon, so going to close this as I believe it’s no longer an issue in the new version.


If you still experience this issue please raise a new issue.


Thank you!