Do not use eval function in piwik.js (for CSP)

[ondrejmirtes]

In order to implement CSP on my website, I disallowed 'unsafe-eval' in script-src directive. But I cannot track visitors with Piwik, because piwik.js tracking code contains call to eval function twice.

Can you consider rewriting the code so it does not use eval? (Which is a bad idea nevertheless.)

[mattab]

One of the two eval is used in the JSON2 implementation. We can't change that unfortunately.

[ondrejmirtes]

What is the included JSON2 library for, since all current browsers support JSON.parse and JSON.stringify?

[mattab]

@ondrejmirtes it's for all "non-current" browsers that are still tracked by Piwik.

[ondrejmirtes]

So what about eliminating the other (second) eval call that's not part of the JSON2 library and using native JSON.parse/stringify where available? That way, it would be possible to remove 'unsafe-eval' clausule from my CSP string and still track overwhelming majority of users.

I personally don't care about supporting ancient browsers (the whole caniuse overview table is green) and would rather prefer a more secure experience for the majority of users. I suspect most of the developers interested in using Piwik platform would take the same stance.

[mattab]

I personally don't care about supporting ancient browsers

Most people care about tracking as many visits as possible, so I'm afraid it's not as simple as it sounds. Maybe you can create a new issue for this specific change?

[ondrejmirtes]

Well, people who don't setup CSP header would still be able to track them, it's only that in my server configuration, the minority of browsers that would trigger the eval call would not get tracked.

And I realized that the browsers that support CSP also probably have native JSON implementation, so the number of untracked visitors would be zero.

[ondrejmirtes]

My whole motivation behind this issue is to encourage Piwik to stay on the cutting edge of web standards and security because I really like it and want to promote it in the community. So please think about some solutions to enable using strict CSP settings while tracking with Piwik.

[mattab]

@ondrejmirtes sounds good, thanks! Could you maybe create a new issue with more specific scope than "do not use eval"?

For example: Make Piwik compatible with strict CSP settings ?

[tsteur]

I wonder why this issue is closed as it is not fixed? For example we could use https://bestiejs.github.io/json3/ which does not use eval. I just decided to reopen it :)

[tsteur]

FYI: I tried to replace JSON2 with JSON3 but I can't get JSON3 to work with JSLint . Meaning no matter which options I set JSLint always fails and it seems to be not possible to ignore one block of code for JSLint. We should replace JSLint at some point with JSHint which would exactly solve this.

[tsteur]

If someone manages to make Piwik.js work with JSHint we could replace JSON2 with JSON3 and remove all evals. See #7232

[mattab]

since the goal of this issue is really to add CSP support to piwik.js I suggest we mark as duplicate of: #1542

next step: #7232

[tsteur]

Reopen this one since eval !== CSP