I'm having some trouble with the hardcoded fetches out to https://cdn.jsdelivr.net (1, 2). Although this is nice for folks who are just trying to get things up and running quickly, it's a little uncomfortable for those of us who have to enforce strict content security policies. There's a lot of code on jsdelivr, and I'd prefer to not have to mark it all as trusted! On its own, it's not awful, since it only needs connect-src permission, but when you combine it with the script-src blob: that seems to be required by @livekit/krisp-noise-filter, it starts to become worrying. You guys seem pretty trustworthy, but this is JS - we can't always trust the dependencies of our dependencies of our dependencies not to fetch some code from jsdelivr, stuff it into a blob, and execute it.
It would be ideal if there were a way to pass in some configuration to the plugin designating alternate source(s) for @mediapipe/tasks-vision and @mediapipe/holistic. That way, we could mirror the dependencies ourselves and not have to allow connections to jsdelivr.
Hey, thanks for your work on this plugin!
I'm having some trouble with the hardcoded fetches out to https://cdn.jsdelivr.net (1, 2). Although this is nice for folks who are just trying to get things up and running quickly, it's a little uncomfortable for those of us who have to enforce strict content security policies. There's a lot of code on jsdelivr, and I'd prefer to not have to mark it all as trusted! On its own, it's not awful, since it only needs
connect-src
permission, but when you combine it with thescript-src blob:
that seems to be required by@livekit/krisp-noise-filter
, it starts to become worrying. You guys seem pretty trustworthy, but this is JS - we can't always trust the dependencies of our dependencies of our dependencies not to fetch some code from jsdelivr, stuff it into a blob, and execute it.It would be ideal if there were a way to pass in some configuration to the plugin designating alternate source(s) for
@mediapipe/tasks-vision
and@mediapipe/holistic
. That way, we could mirror the dependencies ourselves and not have to allow connections to jsdelivr.