Support CSP `script-src 'self';`

[mathiasbynens]

Due to the use of Function(…) this library cannot be used with CSP script-src 'self';. Switching to a getter-based approach that executes the feature test once and then caches the result would solve this problem.

[getify]

I don't understand. How do you propose to enable the dynamic testing of syntax without new Function(..) or eval(..)? Also, the "featuretests.js" file never runs in the host page (meaning it should be irrelevant to their CSP headers). It always runs in a cross-origin iframe from "featuretests.io", and that server sends out suitable CSP headers for the library to operate.

The test results are cached, but they have to be run at least once.

[mathiasbynens]

How do you propose to enable the dynamic testing of syntax without new Function(..) or eval(..)?

Of course that wouldn’t be possible. A subset of tests could still be run without it, though.

Also, the "featuretests.js" file never runs in the host page (meaning it should be irrelevant to their CSP headers). It always runs in a cross-origin iframe from "featuretests.io", and that server sends out suitable CSP headers for the library to operate.

Not always — the README mentions the library/service can be self-hosted. Might I suggest adding to the README that when self-hosting…

1. framing must be enabled, and
2. CSP (or at least, CSP’s script-src 'self';) must be disabled?

[getify]

Might I suggest adding to the README that when self-hosting

That's a fair point. I'll add something to that effect.

Although, I will say, I expect if someone is going to go out of their way to self-host and skip the service, they'll probably just use the text of the tests and run them however they want. So that's kind of on them to figure out how to do so within their own site's CSP rules.

But one implied (I didn't want to come out and directly say this) reason for using the service is that it does those tests off-domain so that your own domain/site doesn't have to worry about such security concerns. That's such an advanced topic, and so easy to confuse and misconstrue, I have opted not to talk about it directly. But I suspect as soon as any site that has a CSP tries to do their own testing, they'll run into this issue, and see why the service is helpful in that regard.

[getify]

In addition to the update to the README provided in dae1697, I also just posted this update in the documentation on the site:

https://featuretests.io/details#content-security-policy

Do those two updates address your concerns about CSP and this service?

[getify]

Closing for now. Feel free to re-open if there are more concerns.