search

foliojs / pdfkit

A JavaScript PDF generation library for Node and the browser
http://pdfkit.org/
MIT License
9.95k stars 1.16k forks source link

pdfkit fails with Content-Security-Policy enabled #1104

Open martynasma opened 4 years ago

martynasma commented 4 years ago

Bug Report

Hey from amCharts. We're using pdfkit (indirectly via pdfmake) to export charts to PDF in our flagship dataviz lib, and running into a bit of an issue with security-conscious users.

Description of the problem

pdfkit fails with a critical security error if the page has Content-Security-Policy enabled. E.g.:

Header add Content-Security-Policy "script-src 'self'"

The above header prevents in-line script creation, which is a reasonable security measure, preventing any unauthorized JS code to be activated on the we page.

It originates in Pointer function which for some reason is using eval'ed code to generate function references:

image

The function comes from an old version of restructure used by one of pdfkit's dependencies - fontkit.

The issue has already been addressed in restructure, so it's just a matter of upgrading the whole chain of dependencies. Taking into account that all three libs are maintained by foliojs, it shouldn't be that hard? ;)

Live examples

With CSP enabled (failing, see browser console): http://test.amcharts.com/demo/pdfkit/with-CSP/

Without CSP (working fine) http://test.amcharts.com/demo/pdfkit/without-CSP/

Your environment

liborm85 commented 4 years ago

Version of restructure is defined in fontkit. I have maintainer access to pdfkit and restructure. But no to fontkit... therefore, the solution is problematic.

@devongovett fontkit requires an update.

andersem commented 4 years ago

Seems the isuse was fixed in fontkit 1.8.1? :)

Edit: I read the commit message, but didn't see the diff. restructure was not bumped in this release.

liborm85 commented 4 years ago

No, in fontkit version 1.8.1 is not fixed.

maiermic commented 3 years ago

As far as I understand, this has to be fixed in fontkit, but no issue is linked. Does the issue still need to be created?

The issue has already been addressed in restructure, so it's just a matter of upgrading the whole chain of dependencies.

@martynasma Which version of restructure fixes the issue? There is a PR to update restructure to v2. However, it seems that the repository is not maintained anymore. I'll contact @devongovett, who seems to be the only one with permissions to that repository.