Remove use of eval in non-legacy rollup builds #1760
Conversation
| @@ -346,7 +346,7 @@ export function get_page_handler( | |||
| const legacy_main = `${req.baseUrl}/client/legacy/${build_info.legacy_assets.main}`; | |||
| script += `(function(){try{eval("async function x(){}");var main="${main}"}catch(e){main="${legacy_main}"};var s=document.createElement("script");try{new Function("if(0)import('')")();s.src=main;s.type="module";s.crossOrigin="use-credentials";}catch(e){s.src="${req.baseUrl}/client/shimport@${build_info.shimport}.js";s.setAttribute("data-main",main);}document.head.appendChild(s);}());`; | |||
| } else { | |||
| script += `var s=document.createElement("script");try{new Function("if(0)import('')")();s.src="${main}";s.type="module";s.crossOrigin="use-credentials";}catch(e){s.src="${req.baseUrl}/client/shimport@${build_info.shimport}.js";s.setAttribute("data-main","${main}")}document.head.appendChild(s)`; | |||
There was a problem hiding this comment.
what was this try / catch trying to detect? I feel like it was to see what browser you were using and can't simply be removed
There was a problem hiding this comment.
Looks like it was trying to detect "import" support to add the module script, otherwise it added "shimport".
There was a problem hiding this comment.
If there's a way to detect ESM/import/import() support without a try-catch, then I'd be all for switching to that. Otherwise, as I indicated below, I don't think we can just do this without it being a breaking change. (And it'd be a breaking change that I don't think could be easily worked around for people that need to support these browsers. They'd be stuck on the old version.)
There was a problem hiding this comment.
@Conduitry Agreed. I'll have a look 👍
|
I'd be wary about making this without it being a breaking change. Are there, say, any old version of Chromium on old web TVs that support async/await but do not support ESM? I would imagine so, and I know there are people who use Sapper for these environments. |
@Conduitry Good point, this would be a breaking change. If those people have not targetted legacy then Could we rewrite that try/catch then to be CSP safe? 🤔 |
|
|
|
Does that safely check for dynamic import support as well? There was a while where Firefox supported |
|
Unfortunately I think 'new Function' is the way to test dynamic. Could we solve this another way? Default to using shimport and then expose a flag for people to skip/disable it? It's like the opposite of legacy though. |
|
If there's not a reasonable way to test for dynamic imports, then I think at this point in Sapper's life, the answer for how to do this in a CSP-compatible way is to use a fork of Sapper. There's not a good way to expose options like this without there being an overbearing number of CLI options. I would encourage you to follow along with SvelteKit and, when we get to a point where we begin to think about differential legacy builds there, to advocate for whatever features you think are necessary to keep CSP happy. |
|
But whats wrong with try catch? |
|
|
|
I haven't checked, but won't |
|
either dynamic import exists, then it returns a promise and its error is catched with .catch(ex), or import doesnt exists and its throws a default error catched by try-catch... if import('') really does a parsing error, then you can use any valid string here |
|
oh you are right - giving syntax error on IE |
|
@Kapsonfire-DE @Conduitry Thanks for digging in to this. I have added a comment to 2 SvelteKit issues and will follow the progress. I'm going to fork Sapper I think to get around the issue for now, as like you said there won't be many changes to Sapper anyway and hopefully we can move to Kit soon. Thanks for looking at this anyway 👍 |
Description
As @maximedupre reported in #1622:
Adding
unsafe-evalto CSP would then defeat the purpose of using CSP.It was using
new Functionto do feature detection for imports, but it looks like that is now supported by all non-legacy browsers anyway.This PR removes the try/catch when building a non-legacy rollup bundle, thereby removing the use of shimport.
This will allow users to remove "unsafe-eval" from any CSP configuration.
I realise Sapper is in maintenance but I feel like this is a blocking issue for production usage.
Closes #1622
Relates to #343
Test
I came across this issue originally because I added CSP + blocked unsafe-eval and noticed that reactivity did not work.
So I've added a test that does just that. Binds a text input, types in a value and then checks that the updated value is shown.
This test now passes, before the change it failed.
Questions
nonce_attrin?</script><script${nonce_attr} src="${main}" defer>