Closed tux21b closed 8 months ago
Does this connect back to https://github.com/mui/mui-x/pull/10329#discussion_r1327233747?
Does this connect back to #10329 (comment)?
I don't think so. The Content-Security-Policy doesn't mind if the eval is obfuscated via atob or if it was executed in a global scope or if it was re-assigned to another variable. It just forbids the usage of eval (unless 'unsafe-eval'
is explicitly set).
Sounds good, we can evaluate hasEval
lazily, so if disableEval
is used it will never be evaluated.
even if the undocumented option disableEval is used
Not directly the topic here but this prop is probably worth documenting since we had several feedbacks of people wanting to use it. Having a clean doc section to link would make the process smoother
I have the same issue as @tux21b and implemented a fix in #11516
I don't think so. The Content-Security-Policy doesn't mind if the eval is obfuscated via atob or if it was executed in a global scope or if it was re-assigned to another variable. It just forbids the usage of eval (unless 'unsafe-eval' is explicitly set).
@tux21b Ah right, without 'unsafe-eval'
both eval and Function are blocked: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_eval_expressions.
Steps to reproduce
'unsafe-eval'
(likeContent-Security-Policy: script-src 'self'
)For example, run https://codesandbox.io/p/devbox/late-http-8nkhlj?file=%2Fnext.config.js%3A29%2C5 locally.
Current behavior
The
hasEval
detection added in https://github.com/mui/mui-x/issues/10056 is always automatically executed, even if the undocumented optiondisableEval
is used. ThehasEval
detection runs an obfuscated version ofeval("true")
which gets blocked. This leads to CSP warnings reported viaReport-To
. The JavaScript exception is caught and hidden.Expected behavior
I would prefer if
eval()
isn't used at all, but if that's not an option, then it should not be used ifdisableEval
is set to true. Doing the computation ofhasEval
lazily (and only ifdisableEval
is not set) would solve the problem.Context
I'm trying to use the datagrid component in a secure way. Having Content-Security-Policy headers is highly recommended and disallowing arbitrary
eval()
s is the whole point of CSP. Having a report endpoint to catch possible security breaches (and errors within dev) is also recommended and having to continuously filter out false reports because ofeval("true")
within mui-x is really annoying and might hide more serious attacks or bugs.Your environment
No response
Search keywords: datagrid csp eval