search

voxeet / voxeet-sdk-web

The Dolby.io Communications SDK for Web.
https://www.npmjs.com/package/@voxeet/voxeet-web-sdk
Other
4 stars 2 forks source link

new Function is breaking csp rules for security #9

Closed Tallyb closed 1 year ago

Tallyb commented 2 years ago

new Function is breaking unsafe_eval CSP rule. Is it possible to change ?

FabienLavocat commented 2 years ago

Could you please elaborate, what version of the SDK triggers this warning? What new function is this about?

Tallyb commented 2 years ago

I see it from 3.3.0 onward (possibly earlier, did not check). Since the code in GH is minified, I cannot link to it. You can search for new Function in the code. Function() is one of the things that breaks the unsafe_eval rule as you can read here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_eval_expressions In 3.5.0 the following exists:

new Function("return this")()}catch(e){"object"==typeof window&&(n=window)}e.exports=n} Is it really necessary to use the new Function?

FabienLavocat commented 2 years ago

Thanks @Tallyb for reporting this, I will investigate and get back to you on this.

FabienLavocat commented 2 years ago

This unsafe_eval rule is coming from a dependency to our SDK and will be improved in SDK 3.8 so you won't see this warning anymore.

rbonora commented 2 years ago

Hi @FabienLavocat is the fix now available? thanks

pnowa-dolby commented 2 years ago

Hi @rbonora. The issue is fixed in Web SDK 3.7.0, if you search for new Function in voxeet-sdk.js there should be no results.