Closed dsebastien closed 4 months ago
Good point, this seems to be webpack related. Requires investigation.
Has the webpack configuration changed since you made the last release? I don't see any reference to the compression/uglification plugin (webpack does not create a .min.js file in dist anymore)
No it hasn't, the problem was probably there from the start on.
Hi @fzaninotto Any pointer on how we could solve this?
We need a webpack hacker...
There's no minification in place in the webpack config. I think the fix just consists in:
Publishing a new version :p
Should be fixed in the latest version, 4.0.
We've noticed that the minified build of FakeRest uses eval in some places, for example:
The above fails if the Content Security Policy does not allow unsafe-eval for the script-src attribute. The error (in Chrome): EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self".
Allowing 'unsafe-eval' for scripts is considered very risky from a security point of view.
Could you create a distribution that does not rely on eval so that we can use FakeRest with a strong CSP?