Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support strict CSP enabled environments #221

Open
ajainarayanan opened this issue Feb 11, 2019 · 3 comments · May be fixed by #223
Open

Support strict CSP enabled environments #221

ajainarayanan opened this issue Feb 11, 2019 · 3 comments · May be fixed by #223

Comments

@ajainarayanan
Copy link

ajainarayanan commented Feb 11, 2019

Feature request
The library has the usage of new Function(...), for instance (https://github.com/mtth/avsc/blob/master/lib/types.js#L2172), which is considered harmful in environments where CSP policy is enabled with no unsafe-eval.

Are there any plans of providing a fallback for such environments?

@mtth
Copy link
Owner

mtth commented Feb 16, 2019

There are no plans to do so but this sounds like a reasonable idea: I would be happy to review a PR which isolates code-generation and provides an alternate--optional--implementation.

(These Function calls are at the heart of code-generation for decoding and encoding: performance would drastically suffer without.)

@mtth mtth changed the title Fails in strict CSP enabled environment Support strict CSP enabled environments Feb 16, 2019
@ajainarayanan
Copy link
Author

@mtth Thanks for the response. I have rough implementation of converting the usage of new Function for types. But unfortunately it is breaking 6 unit tests. I am trying to figure out how to fix them.

Will send out a PR sometime but might need some help on implementing a flag to switch new Function usage to regular function(did I understand this correct?) and unit tests.

@mtth
Copy link
Owner

mtth commented Feb 20, 2019

Sounds good, thank you for working on it! Feel free to send a PR even before fixing all the tests if you want early feedback.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants