Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Call to new Function() requires unsafe-eval CSP #30

Open
Roang-zero1 opened this issue Dec 24, 2024 · 2 comments
Open

Call to new Function() requires unsafe-eval CSP #30

Roang-zero1 opened this issue Dec 24, 2024 · 2 comments

Comments

@Roang-zero1
Copy link

I am currently trying to roll out the latest version of the VocPlayer for the hub (https://git.cccv.de/hub/hub/-/issues/696).
Unfortunately an unsave-eval in the CSP (Content Security Polict) is still necessary in V2.01.
Unfortunately I could not find out exactly where this comes from and therefore could not make a PR.

In the minimized version the following snippet is responsible:

//# sourceURL=/microtemplates/source[` +
          Wl++ +
          "]");
      try {
        i = new Function($t.variable || "obj", "escapeExpr", a);
      } catch (l) {
@iSchluff
Copy link
Member

I suspect that may be used by Clappr to do templating for its UI elements. Not sure what they use under the hood. If so it is probably not possible to easily get rid of it.

We are on a pretty old Clappr version, but last time we tried to update it broke a bunch of streams.

@Roang-zero1
Copy link
Author

Ok, thanks for the answer. Then I'll assume for this event that we still have to exclude the pages from the CSP.
Then I would talk about it again post 38c3.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iSchluff @Roang-zero1