New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Minified version uses eval which forces to use a weak Content Security Policy (CSP) #23
Comments
Good point, this seems to be webpack related. Requires investigation. |
Has the webpack configuration changed since you made the last release? I don't see any reference to the compression/uglification plugin (webpack does not create a .min.js file in dist anymore) |
No it hasn't, the problem was probably there from the start on. |
Hi @fzaninotto Any pointer on how we could solve this? |
We need a webpack hacker... |
There's no minification in place in the webpack config.
Publishing a new version :p |
We've noticed that the minified build of FakeRest uses eval in some places, for example:
The above fails if the Content Security Policy does not allow unsafe-eval for the script-src attribute.
The error (in Chrome): EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self".
Allowing 'unsafe-eval' for scripts is considered very risky from a security point of view.
Could you create a distribution that does not rely on eval so that we can use FakeRest with a strong CSP?
The text was updated successfully, but these errors were encountered: