Skip to content

Use of eval causes security error in Electron #36

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
max-mapper opened this issue May 14, 2019 · 6 comments
Closed

Use of eval causes security error in Electron #36

max-mapper opened this issue May 14, 2019 · 6 comments

Comments

@max-mapper
Copy link

Hi, when using this in Electron the use of eval in rollup-plugin-global-script.js causes this error:

/home/max/exodus/exodus/src/node_modules/@virgilsecurity/e3kit/dist/e3kit.browser.umd.min.js:1 [global-script] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self'".


    at eval (<anonymous>)
    at /home/max/exodus/exodus/src/node_modules/@virgilsecurity/e3kit/dist/node_modules/virgil-crypto/dist/virgil-crypto-pythia.browser.es.js:3009
    at /home/max/exodus/exodus/src/node_modules/@virgilsecurity/e3kit/dist/node_modules/virgil-crypto/dist/virgil-crypto-pythia.browser.es.js:3009

Similar issue: firebase/firebase-js-sdk#798
@vadimavdeev
Copy link
Contributor

Hi! We use eval so that emscripten-compiled output (glue js + asm.js) does not get processed by bundlers \ minifiers in 3rd-party apps and libraries. This is needed so that application and library authors do not have to modify their bundler configurations when using this library. See this issue for more details.

We will address this issue in the next major version of this library, but for now your only option would be to allow unsafe-eval as described in the issue you've linked.

@max-mapper
Copy link
Author

@vadimavdeev Thanks. Would be nice to get rid of eval because in Electron the only option is to mark the entire web renderer process to allow unsafe-eval which opens up eval vulnerabilities in other scripts loaded in the same renderer.

@Jemoka
Copy link

Jemoka commented Apr 5, 2020
edited
Loading

@vadimavdeev Has there been any forward motion on this? It's not a good idea to distribute anything with unsafe-eval in it...

@snanovskyi
Copy link
Contributor

Hi @Jemoka 👋

Yes, virgil-crypto v4 doesn't use eval. Follow this guide to get started with it.

Let me know if you will have any issues with it.

@snanovskyi
Copy link
Contributor

Hi @Jemoka!
Any news on this? Have you managed to make it work?

@Jemoka
Copy link

Jemoka commented Apr 9, 2020
edited
Loading

I don't think I have this problem anymore, but I am working with Firebase, and it seems like there are other errors that are probably issues on my end... As for this issue, I think it is resolved. Thanks for checking in, @snanovskyi!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@max-mapper @vadimavdeev @snanovskyi @Jemoka