search

regl-project / regl

👑 Functional WebGL
https://regl-project.github.io/
MIT License
5.22k stars 323 forks source link

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed #491

Closed guilala closed 6 years ago

guilala commented 6 years ago

Security wise it's preferable to have Content-Security-Policy 'self' for script sources. But using regl with that policy, runs into this error:

EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".

This happens in regl's function 'compile', at 'var proc = Function.apply(null, linkedNames.concat(src));'.

After adding 'unsafe-eval' to script source policy, regl runs just fine. But that's arguably a major drawback for using regl.

Is there really no way of avoiding methods similar to eval for parsing regl strings?

dy commented 6 years ago

But for now that is the essence of regl, experimenting would take weeks and performance is doubtful to match.

guilala commented 6 years ago

Thanks for answer, good to know. 'll have add the policy, since regl is worth it :-)

jlfwong commented 6 years ago

Hey, I've gotten a lot of use out of regl, and it allowed me to build https://github.com/jlfwong/speedscope without dealing with a lot of the pain of using WebGL APIs directly while still giving me a lot of control over the performance of the application via low-level primitives. On the whole, I've had a very positive experience both with the documentation and the library itself.

That said, I ultimately had to switch away from it because of its use of eval. In particular, if you want to build WebGL based tools and have them embed into other applications, for many people, it failing on a page with a strict content security policy is a showstopper.

In my particular case, speedscope is an in-browser profiling tool that people want to be able to host within their own domains. GitHub has a strict content security policy, so it blocked the merge of speedscope as the default visualizer for stackprof (See: https://github.com/tmm1/stackprof/pull/100).

Because of this, I need to switch away from regl (See: https://github.com/jlfwong/speedscope/pull/140).

No action needed on the part of regl maintainers, but I thought I would offer this as an example of where this can be a showstopper.

Thanks for writing regl and making it possible for me to make speedscope :)