Support Basic non-Strict Content-Security Policy (CSP) #361

rajsite · 2024-08-07T22:13:15Z

If I configure a page using the OWASP recommended Basic non-Strict CSP Policy, i.e. for example by adding the following <meta> tag:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-ancestors 'self'; form-action 'self';">

I get an error similar to the following in Chrome due to eval / Function constructor usage:

    Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self'".

    at Function (<anonymous>)
    at compile (arquero.js?v=01b19c5c:2969:10)
    at expr (arquero.js?v=01b19c5c:2973:27)
    at Object.value (arquero.js?v=01b19c5c:8802:66)
    at parse_default (arquero.js?v=01b19c5c:8817:9)
    at derive (arquero.js?v=01b19c5c:9955:30)
    at ColumnTable.derive (arquero.js?v=01b19c5c:23547:12)
    at main.ts:12:4

It would be great to be able to use arquero without requiring unsafe-eval (even if it's a teeny bit slower 🐢). Example stackblitz.

The text was updated successfully, but these errors were encountered:

rajsite mentioned this issue Aug 7, 2024

Wafer Map High Performance Redesign ni/nimble#2034

Open

11 tasks

rajsite changed the title ~~Support Basic non-Strict CSP Policy~~ Support Basic non-Strict Content-Security Policy (CSP) Aug 7, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support Basic non-Strict Content-Security Policy (CSP) #361

Support Basic non-Strict Content-Security Policy (CSP) #361

rajsite commented Aug 7, 2024

Support Basic non-Strict Content-Security Policy (CSP) #361

Support Basic non-Strict Content-Security Policy (CSP) #361

Comments

rajsite commented Aug 7, 2024