Cannot be used in Chrome/Firefox extensions because bundle contains eval()

lightstep / lightstep-tracer-javascript

Lightstep distributed tracing library for Node.js and the browser

https://lightstep.com

MIT License

77 stars 66 forks source link

Cannot be used in Chrome/Firefox extensions because bundle contains eval() #141

Closed felixfbecker closed 4 years ago

felixfbecker commented 5 years ago

When trying to use this library in a browser extension (Chrome or Firefox) the extension will throw with

Error: Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' blob:".

Chrome and Firefox do not allow eval( in extensions because it is a security risk.

This seems to be related to some Google library bundled (I assume for Proto support?), search https://github.com/lightstep/lightstep-tracer-javascript/blob/master/dist/lightstep-tracer.js for eval(.

felixfbecker commented 5 years ago

Ideally though I should be able to use this library through plain HTTP.

iredelmeier commented 5 years ago

Interesting, and thanks for hunting down the upstream problem! I'll investigating some other options for compilation, e.g., protobuf.js.

When you say "plain HTTP", do you mean json over HTTP?

felixfbecker commented 5 years ago

What I mean is that as a consumer of Lightstep, I don't really care how the data is transported. I just care that it works (including in extensions and webworkers) and doesn't bloat my bundle. Maybe there is one, but I don't understand the need for neither Thrift nor Protobuf libraries, and would at least like to avoid having both in my bundle, especially if they cause issues like this.

iredelmeier commented 5 years ago

Thanks for the explanation! I completely agree, and we're moving in the direction of no longer requiring code for unused transports.

JulesPatry commented 3 years ago

This is a rather old issue, but today I'm facing the same issue because our CSP does not allow the use of eval.

The protobuf library (a dependency on lightstep-tracer-javascript), does not package their code with commonjs_strict which then polutes the build with javascript code using eval. protocolbuffers/protobuf-javascript#25

Could lightstep-tracer-javascript work without this protobuff library?

JulesPatry commented 3 years ago

For anyone also experiencing a problem with using eval try using this branch in your package json https://github.com/lightstep/lightstep-tracer-javascript/tree/v0.30.2-no-protobuf

Simply add "lightstep-tracer": "v0.30.2-no-protobuf", in your package.json and eval errors will not show up