search

jspreadsheet / pro

Jspreadsheet Pro | The javascript spreadsheet
https://jspreadsheet.com/
14 stars 1 forks source link

unable to load spreadsheet with CSP header "script-src 'self'" #331

Closed jliu716cc closed 1 month ago

jliu716cc commented 1 month ago

hello, I have been evaluating jspreadsheet with a demo account, has been working very well on my local machine until it's deployed to stage environment, on stage when running:

this.worksheets = jspreadsheet(this.spreadsheet.nativeElement, config);

it does not load any spreadsheet at all instead showing the following error in the console:

EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".

    at Function (<anonymous>)
    at Object.parse (lemonade.js:741:44)
    at Object.parse (lemonade.js:812:23)
    at Object.parse (lemonade.js:812:23)
    at Object.parse (lemonade.js:812:23)
    at Object.parse (lemonade.js:812:23)
    at L.element (lemonade.js:1038:15)
    at L.render (lemonade.js:907:27)
    at Object.parse (lemonade.js:832:15)
    at Object.parse (lemonade.js:812:23)

looking into the line of exception it reads:

q.method = Function('self', value).bind(element, self);

and in fact even running just new Function('') would throw the same error, according to this documentation https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_eval_expressions Function() constructor is not allowed with Content-Security-Policy header script-src 'self'

The only workaround I find is by changing our CSP header from script-src 'self' to script-src 'self' 'unsafe-eval' but it opens risks of XSS and defeats the purpose of CSP...without 'unsafe-eval' I can't load any spreadsheet at all at the moment...

any suggestion to fix this issue without adding 'unsafe-eval' to our CSP header? thank you

P.S. issue was found with jspreadsheet version 11 in Angular implementation, package versions are:

"@jspreadsheet/charts": "^6.2.1",
"@jspreadsheet/comments": "^5.0.1",
"@jspreadsheet/formula-charts": "^4.0.0",
"@jspreadsheet/parser": "^5.5.0",
"@jspreadsheet/shapes": "^1.0.2",
"jspreadsheet": "^11.4.7",
hodeware commented 1 month ago

Please upgrade your @jspreadsheet/charts to v6.3.0, that will sort out the issue.