[V6] unsafe-eval

[ohrrkan]

Ethers Version

6.0.2

Search Terms

unsafe-eval

Describe the Problem

We have a Strict CSP policy for security reason on our website. this mean eval is not allow.

Updating from v5 to V6 without change our CSP seem impossible as browser throw an error. do you confirm?

Code Snippet

No response

Contract ABI

No response

Errors

'EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive'

Environment

Ethereum (mainnet/ropsten/rinkeby/goerli)

Environment (Other)

No response

[ricmoo]

There should definitely not be any eval used in ethers v6. Can you identify the source??

[ohrrkan]

Going deeper, the specification list other similar methods that can trigger the error :

https://www.w3.org/TR/CSP3/#directive-script-src

The following JavaScript execution sinks are gated on the "unsafe-eval" source expression:

eval()
Function()
setTimeout() with an initial argument which is not callable.
setInterval() with an initial argument which is not callable.

NOTE: If a user agent implements non-standard sinks like setImmediate() or execScript(), they SHOULD also be gated on "unsafe-eval". Note: Since "unsafe-eval" acts as a global page flag, script-src-attr and script-src-elem are not used when performing this check, instead script-src (or it’s fallback directive) is always used.

I will investigate more.

[ricmoo]

In that case, maybe this is the problem?

https://github.com/ethers-io/ethers.js/blob/main/src.ts/providers/abstract-provider.ts#L1068

If so, it’s easy for me to wrap it in a () => (func()).

[ohrrkan]

Seems the error is trigger by a conflict with somethings else => I cannot reproduce it in a vanilla environement for testing. Closing this issue for now and will re-open if I found the conflicting source.

[ohrrkan]

Re-open with more info :

Throw by

ethers.js/lib.esm/contract/contract.js

Line 168 in 3a0d868

super();

simple vanilla to reproduce index.html :

<!DOCTYPE html>

<html lang="en">
  <head>
    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <meta http-equiv="Content-Security-Policy" content="default-src 'self'" />
    <title>Test Page</title>
  </head>

  <body>
    <h1>Test Page</h1>
    <p id="content"></p>
    <script type="module" src="./index.js"></script>
  </body>
</html>

index.js

import { BrowserProvider, getDefaultProvider } from "./node_modules/ethers/dist/ethers.js";

async function main() {
  let provider;
  if (window.ethereum == null) {
    console.log("MetaMask not installed; using read-only defaults");
    provider = getDefaultProvider();
  } else {
    provider = new BrowserProvider(window.ethereum);
  }
  const balance = await provider.getBalance("ethers.eth");
  document.getElementById("content").innerHTML = balance;
}

main();

[ricmoo]

I don’t understand why that would cause an eval issue? The function that is extends returns the Function class, which should have a super? Or you aren’t allowed to use Function sub-classes?

Do you have any more info on this warning?

[ohrrkan]

the Full error log :

Uncaught (in promise) EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self'".

    at new Function (<anonymous>)
    at new WrappedMethod (contract.js:168:9)
    at Contract.getFunction (contract.js:619:17)
    at Object.get (contract.js:560:39)
    at #getResolver (ens-resolver.js:420:41)
    at async EnsResolver.fromName (ens-resolver.js:451:26)
    at async BrowserProvider.getResolver (abstract-provider.js:700:16)
    at async BrowserProvider.resolveName (abstract-provider.js:710:26)
    at async checkAddress (checks.js:54:20)
    at async Promise.all (:3000/index 0)

[raulrpearson]

I'm getting something similar on Cloudflare Workers. It seems to appear when I call a contract's method. I created a repo with the reproduction in case it's helpful or maybe you can point out if I'm making some mistake. I haven't deployed, the error is triggered on npm run dev.

[EdenCrow]

I'm also getting this error when using ethers.js for a Chrome Extension. Manifest V3 seems to have stricter CSPs and won't allow my extension to run, while Manifest V2 does.

Uncaught (in promise) EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules' http://localhost:* http://127.0.0.1:*".

    at new Function (<anonymous>)
    at new WrappedMethod (main.bundle.js:7452:9)
    at Contract.getFunction (main.bundle.js:7903:17)
    at Object.get (main.bundle.js:7844:39)
    at #getResolver (main.bundle.js:13676:41)
    at async EnsResolver.fromName (main.bundle.js:13707:26)
    at async EtherscanProvider.getResolver (main.bundle.js:15364:16)
    at async EtherscanProvider.resolveName (main.bundle.js:15374:26)
    at async getInfo (main.bundle.js:16430:24)

Seems to be the same place the error is thrown as mentioned before:

ethers.js/lib.esm/contract/contract.js

Line 168 in 3a0d868

super();

[ricmoo]

Linking this to #3763, which seems to have the same root cause.

[ricmoo]

Pretty sure I’ve figured out the problem, and have a solution. I’ll try it out and will release a minor bump (6.2.0) to address it.

[ricmoo]

This has been addressed in v6.2.0. Please try it out and let me know if there are any problems. :)

[ohrrkan]

Test ok. confirm it work for me. Thanks