Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use of eval which is blocked by script-src Content Security Policy #276

Closed
will-newmarch opened this issue Jun 21, 2018 · 4 comments
Closed

Comments

@will-newmarch
Copy link

will-newmarch commented Jun 21, 2018

Is there any possible way the use of 'eval' could be removed from the library? (I realise this might be quite an integral part)

doT/doT.js

Line 40 in 8cae202

_globals = (function(){ return this || (0,eval)("this"); }());

We are having issues with it triggering security warnings around - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

Apparently as part of tightening security using CSP headers eval() is increasingly non-viable.

@mappu
Copy link

mappu commented Sep 18, 2018

We're having issues too. Replacing the whole _globals section with window.doT = doT; gets past the first hurdle, but after that, the rest of the code is heavily based on new Function which is eval() in disguise.

@drewlee
Copy link

drewlee commented Oct 3, 2018

We have also ran into this issue with an NPM module due to doT being used as a transient dependency. Using eval is a definite code smell/bad pattern from a security perspective. Is this project under active maintenance anymore? This seems to be a rather contentious issue to ignore.

@fomenyesu
Copy link

I had set the Content-Security-Policy to
"script-src 'self' 'unsafe-eval' 'unsafe-inline'; object-src 'self'"
fix the error

@epoberezkin
Copy link
Collaborator

The solution is to either allow eval (as above) or better to precompile templates as part of build step and deploy functions.

kevindew added a commit to alphagov/govuk_publishing_components that referenced this issue Jun 6, 2019
The Axe-core library that govuk_publishing_components uses makes use of
a dependency that uses the eval function so this directive is needed
until that is removed.

Relevant project issues:

- dequelabs/axe-core#1175
- olado/doT#276
kevindew added a commit to alphagov/govuk_publishing_components that referenced this issue Jun 10, 2019
The Axe-core library that govuk_publishing_components uses makes use of
a dependency that uses the eval function so this directive is needed
until that is removed.

Relevant project issues:

- dequelabs/axe-core#1175
- olado/doT#276

This effects of this issue is that all use of component guides trigger
CSP errors for every page view. Oddly this issue doesn't seem to be
observable in Chrome when report only is on, but can be seen in Firefox.
kevindew added a commit to alphagov/govuk_publishing_components that referenced this issue Sep 27, 2019
This adds the GOV.UK security policy to the dummy application of this
gem. This means that when using this app in dev or viewing it at
https://components.publishing.service.gov.uk/component-guide the GOV.UK
CSP will apply.

This also has to unfortunately allow unsafe-eval for JS so that the
component-guide browser can use AXE. Relevant project issues:

- dequelabs/axe-core#1175
- olado/doT#276
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants