-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use of eval which is blocked by script-src Content Security Policy #276
Comments
We're having issues too. Replacing the whole |
We have also ran into this issue with an NPM module due to doT being used as a transient dependency. Using eval is a definite code smell/bad pattern from a security perspective. Is this project under active maintenance anymore? This seems to be a rather contentious issue to ignore. |
I had set the Content-Security-Policy to |
The solution is to either allow eval (as above) or better to precompile templates as part of build step and deploy functions. |
The Axe-core library that govuk_publishing_components uses makes use of a dependency that uses the eval function so this directive is needed until that is removed. Relevant project issues: - dequelabs/axe-core#1175 - olado/doT#276
The Axe-core library that govuk_publishing_components uses makes use of a dependency that uses the eval function so this directive is needed until that is removed. Relevant project issues: - dequelabs/axe-core#1175 - olado/doT#276 This effects of this issue is that all use of component guides trigger CSP errors for every page view. Oddly this issue doesn't seem to be observable in Chrome when report only is on, but can be seen in Firefox.
This adds the GOV.UK security policy to the dummy application of this gem. This means that when using this app in dev or viewing it at https://components.publishing.service.gov.uk/component-guide the GOV.UK CSP will apply. This also has to unfortunately allow unsafe-eval for JS so that the component-guide browser can use AXE. Relevant project issues: - dequelabs/axe-core#1175 - olado/doT#276
Is there any possible way the use of 'eval' could be removed from the library? (I realise this might be quite an integral part)
doT/doT.js
Line 40 in 8cae202
We are having issues with it triggering security warnings around - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
Apparently as part of tightening security using CSP headers eval() is increasingly non-viable.
The text was updated successfully, but these errors were encountered: