using pdfkit with CSP not allowing eval()

foliojs / pdfkit

A JavaScript PDF generation library for Node and the browser

http://pdfkit.org/

MIT License

9.81k stars 1.14k forks source link

using pdfkit with CSP not allowing eval() #757

Open ehaubold opened 6 years ago

ehaubold commented 6 years ago

Would it be possible, to make pdfkit usable with a CSP not allowing eval()? As our site handles personal data, all eval() is not allowed to be executed, rendering pdfkit unusable.

mrudelle commented 6 years ago

We run into the same problem here.

The unsafe evaluation comes from the devongovett/restructure package: https://github.com/devongovett/restructure/blob/master/src/Pointer.coffee#L11. The coffee script builds a function from a parametric variable name.

It renders PDFkit unusable with decent CSP settings that do not include 'unsafe-eval'.

firien commented 6 years ago

see devongovett/restructure#22

sangm commented 5 years ago

Any updates on this?

ramosbugs commented 4 years ago

Now that https://github.com/foliojs/restructure/issues/28 has been fixed and released in 2.0.0, would it be possible to update pdfkit/fontkit to use the new version without the CSP issue?

ghost commented 4 years ago

We'd also be really keen on having this. It's preventing us from having a CSP without unsafe-eval on our sites that use AMCharts (which depends on pdfkit, which in turn depends on this)

twistedpair commented 2 years ago

Any update? This library cannot be used securely with modern applications.

philipp-durrer-jarowa commented 7 months ago

+1 this is breaking our Web application security. Do others have alternatives to pdfkit that are secure CSP header friendly?