Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content Security Policy: eval blocked #491

Closed
scola84 opened this issue Nov 9, 2018 · 7 comments
Closed

Content Security Policy: eval blocked #491

scola84 opened this issue Nov 9, 2018 · 7 comments

Comments

@scola84
Copy link

scola84 commented Nov 9, 2018

In Firefox 63+ (Ubuntu and Windows) and Edge I get errors like

Content Security Policy: The page’s settings blocked the loading of a resource at eval (“default-src”).

Is it possible to solve this in v2? Could you put the saveAs function in a seperate file in src? Then I can bypass the attachment of the function to global.
@jimmywarting
Copy link
Collaborator

I was hoping to avoid this with a try/catch

The affected part is this:

FileSaver.js/dist/FileSaver.js

Lines 27 to 36 in 0018309

var _global = function () {
// some use content security policy to disable eval
try {
return Function('return this')() || (42, eval)('this');
} catch (e) {
// every global should have circular reference
// used for checking if someone writes var window = {}; var self = {}
return typeof window === 'object' && window.window === window ? window : typeof self === 'object' && self.self === self ? self : typeof global === 'object' && global.global === global ? global : this;
}
}();

@scola84
Copy link
Author

scola84 commented Nov 9, 2018

Yeah, I understood from the comment. I don't know how old that part of the answer from Stackoverflow is, but apparently some browser have become even stricter. I'm currently trying some magic with Rollup to get rid of the definition of the global.

@WuglyakBolgoink
Copy link

WuglyakBolgoink commented Nov 9, 2018
edited
Loading

same hier! Can reproduce in Firefox@63.0.1@windows, on MacOS Firefox show Error

Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf eval blockiert ("script-src").

but content will be loaded correct.
Chrome@macos@latest - ok
yandexBrowser@macOS@latest - ok
Safari@macos@latest - ok
why this happen always at Friday?)

@WuglyakBolgoink
Copy link

up.

@scola84
Copy link
Author

scola84 commented Nov 14, 2018

I solved it by replacing Function('return this')() || (42, eval)('this'); with window during the rollup building process.

Is this package ever used in any other context than the browser?

Anyway, I think you should export your core function in a separate file and attach it to any other context in specific files for those context. For me, this issue can be closed.

@jimmywarting
Copy link
Collaborator

FileSaver don't work in any other context but the window. But some includes it in web workers and nodejs for some reason

The solution would be to just remove the try and only use the cache method

 var _global = typeof window === 'object' && window.window === window 
  ? window : typeof self === 'object' && self.self === self 
  ? self : typeof global === 'object' && global.global === global 
  ? global 
  : this;

@jimmywarting
Copy link
Collaborator

released as v2.0.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jimmywarting @WuglyakBolgoink @scola84