Closed jwmerrill closed 7 years ago
Any site with CSP in place to prevent illegal code injection will not allow eval
and new Function
(they are considered equivalent from a security perspective), so this PR would prevent numeric.js from working for sites that employ CSP.
And, unfortunately, the sites that need CSP the most are sites that deal with user-generated content, such as "notebook" websites where users can write their own numeric programs and run them, or things like jsfiddle/jsbin/codepen/etc.
This patch would make numeric.js unusable on those sites, so I'd strongly advise to find a solution that does not involve Function
at all.
@Pomax note that Numeric already uses the Function constructor all over the place, e.g.
https://github.com/sloisel/numeric/blob/f013f23adaaafd5fe5cd94d92076e205e20da412/src/numeric.js#L332
so I don't believe this PR would change anything from the perspective of CSP.
Perhaps not, but it would certainly be another thing to then also rewrite in order to keep numeric.js usable in a CSP enabled web landscape.
can this PR be closed? it's from quite a few years ago and I can't remove it from my pulls/mentioned even though I would really love to stop seeing it there =)
This replaces calls to javascript's
Function()
with calls to the newnumeric.compile()
, which is a wrapper that closures in the numeric object so that methods on it can be used inside compiled code. The motivation here is to allow using numeric without globally exporting thenumeric
symbol.Done in collaboration with @ehberger.