Minified version uses eval which forces to use a weak Content Security Policy (CSP)

[dsebastien]

We've noticed that the minified build of FakeRest uses eval in some places, for example:

...Function("binder","return function ("+c.join(",")+"){ return binder.apply(this,arguments); }")(a);

The above fails if the Content Security Policy does not allow unsafe-eval for the script-src attribute. The error (in Chrome): EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self".

Allowing 'unsafe-eval' for scripts is considered very risky from a security point of view.

Could you create a distribution that does not rely on eval so that we can use FakeRest with a strong CSP?

[fzaninotto]

Good point, this seems to be webpack related. Requires investigation.

[dsebastien]

Has the webpack configuration changed since you made the last release? I don't see any reference to the compression/uglification plugin (webpack does not create a .min.js file in dist anymore)

[fzaninotto]

No it hasn't, the problem was probably there from the start on.

[dsebastien]

Hi @fzaninotto Any pointer on how we could solve this?

[fzaninotto]

We need a webpack hacker...

[dsebastien]

There's no minification in place in the webpack config. I think the fix just consists in:

• deleting the dist folder
• running webpack

Publishing a new version :p

[fzaninotto]

Should be fixed in the latest version, 4.0.