using pdfkit with CSP not allowing eval()

[ehaubold]

Would it be possible, to make pdfkit usable with a CSP not allowing eval()? As our site handles personal data, all eval() is not allowed to be executed, rendering pdfkit unusable.

[mrudelle]

We run into the same problem here.

The unsafe evaluation comes from the devongovett/restructure package: https://github.com/devongovett/restructure/blob/master/src/Pointer.coffee#L11. The coffee script builds a function from a parametric variable name.

It renders PDFkit unusable with decent CSP settings that do not include 'unsafe-eval'.

[firien]

see devongovett/restructure#22

[sangm]

Any updates on this?

[ramosbugs]

Now that https://github.com/foliojs/restructure/issues/28 has been fixed and released in 2.0.0, would it be possible to update pdfkit/fontkit to use the new version without the CSP issue?

[ghost]

We'd also be really keen on having this. It's preventing us from having a CSP without unsafe-eval on our sites that use AMCharts (which depends on pdfkit, which in turn depends on this)

[twistedpair]

Any update? This library cannot be used securely with modern applications.

[philipp-durrer-jarowa]

+1 this is breaking our Web application security. Do others have alternatives to pdfkit that are secure CSP header friendly?

[countzero]

Is there an update on this? I would love to get rid of the 'unsafe-eval' in our Content Security Policy.