mourner
commented
2 years ago There should be no CSP issues with pbf — it doesn't use any code generation techniques that would need eval-like expressions. No special CSP rules are required to use it.
Closed yvele closed 2 years ago
mourner
commented
2 years ago There should be no CSP issues with pbf — it doesn't use any code generation techniques that would need eval-like expressions. No special CSP rules are required to use it.
yvele
commented
2 years ago Thank you so much @mourner this is really reassuring, I will give pbf a try. What about adding a little CSP paragraph in the doc about that? Because many people are struggling with CSP and seing that being CSP friendly is part of the library fundamental is a big plus 👍
yvele
commented
2 years ago Thank you @mourner I'm using pbf and it works like a charm with strict CSP. Awesome lightweight low level library 👏
aberrier
commented
6 days ago Hello @yvele, I followed your comments on Github as I've came across the same issue of using protobufjs with CSP constraints. Thank you for your feedback on pbf that will clearly makes me and any future developers win precious time on finding CSP-friendly alternatives to protobufjs ! 🚀
When making a browser application, most of us are dealing with strict CSP (Content-Security-Policy) that disallow making use of unsafe-eval expressions.
I'm trying to switch from protobufjs to another library that is CSP friendly. I can't see anything CSP related in your documentation. Can you please add a CSP paragraph where you explain that the library make uses (or NOT🤞 ) of unsafe-eval expression? And what CSP are required?
See also CSP issues that developers have with protobuf.js: