Issues with Content Security Policy

[kailashrdave]

We are using CASL for our project to check permissions. recently we encountered that there are some issues with CSP in our application. Going further, we found that it is because of sift.js which has something like following in javascsript...

return"string"==typeof e?new Function("obj","return "+e)

CASL uses "sift" for Mongo DB like filters in javascript. I tried to go through CASL documentation, but found nothing related to CSP or Security. Has anybody got this issue before? Is it possible to fix this without adding "unsafe-eval"

following is the code snippet from stif.js which causes problem

[stalniy]

That’s a problem. I had requested support for using only specific operators some time ago but there is no progress. https://github.com/crcn/sift.js/issues/153

So what we can do right now:

1. Please create a CSP issue for sift.js
2. Use unsafe-eval as a temporary solution
3. If author doesn’t respond in a day I will fork sift and publish a csp-compliant version.

Thanks for the issue!

[kailashrdave]

@stalniy thanks for prompt response.. I have created issue for stift.js #166

[stalniy]

Ok, I can do a quick fix and a separate @casl/ability@4.0.0-alpha which will be csp compliant.

Eventually I plan to contribute either to mingo or sift to allow users to specify which operators they want to use. So, then the issue won't be relevant

[stalniy]

Agreed with sift author to integrate CSP support into his library :) waiting for him to merge my PR

[stalniy]

sift is published, will try to update and publish casl tomorrow (there may be some issues to update sift to the latest version and if so, then I will publish a preview version of @casl/ability which you will be able to use temporarly).

[stalniy]

available in @casl/ability@3.3.0