Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP unsafe-eval required after release 5.2.2 #419

Closed
loremaps opened this issue Dec 5, 2018 · 8 comments
Closed

CSP unsafe-eval required after release 5.2.2 #419

loremaps opened this issue Dec 5, 2018 · 8 comments

Comments

@loremaps
Copy link

loremaps commented Dec 5, 2018
edited

Bug Report or Feature Request (mark with an x)
- [ ] Regression (a behavior that used to work and stopped working in a new release)
- [x] Bug report -> please search issues before submitting
- [ ] Feature request
- [ ] Documentation issue or request

From release 5.2.2 our Content Security Policy gets violated because unsafe-eval are not allowed.
I think it might be related to this bump: d146258

image
@ColinT
Copy link
Contributor

ColinT commented Dec 7, 2018

You may have to submit an issue to mozilla/pdf.js instead of here to make progress since this is a problem inside a dependency.

Here is the offending code:

// pdf.js:13152-13154
var g = function () {
  return this;
}() || Function("return this")();

In particular the Function constructor is probably triggering the unsafe-eval error. Although, I'm not sure why the regular function assignment before the || is not working for you. The eval should only be run if the first assignment fails (evaluates as a non-truthy value).

Try running the first half of the assignment in your inspector to see if it is an environment issue. Or try something like:

var g = function () {
  return 'apples';
}() || Function("return 'bananas'")();

and see what g returns.

@loremaps
Copy link
Author

loremaps commented Jan 11, 2019
edited

Looks like it is going to be resolved with the next release:
mozilla/pdf.js#10387
mozilla/pdf.js#10229

@loremaps
Copy link
Author

loremaps commented Jul 4, 2019

Works with release 5.3.2

@loremaps loremaps closed this as completed Jul 4, 2019
@maxime1992
Copy link

@loremaps 5.3.2 was working fine but trying to upgrade to 5.3.4 broke it again.
It's been a really painful experience to figure that out as it was happening within a lazy loaded module and the only error I had was Runtime compiler is not loaded 😱.

Any idea why it's happening again?

@loremaps
Copy link
Author

loremaps commented Oct 2, 2019

@maxime1992 yes I believe you are also facing this issue: mozilla/pdf.js#11036
Which appears to be an upstream issue of a babel polyfill 😒

@maxime1992
Copy link

Yup thanks I commented there!

@jkroepke
Copy link

jkroepke commented Oct 3, 2019

@loremaps its possible that you remove the dependency and re-add pdfjs-dist as peerDependency?
We can just downgrade the pdfjs dependencies as we need to get a rescue from this issue.

@jkroepke jkroepke mentioned this issue Nov 10, 2019
Closed
@adamdport
Copy link

adamdport commented Sep 23, 2021
edited

Did anyone here ever resolve this issue? I'm still having issues with the latest 7.0.1.

Edit: it looks like the issue is being tracked here. Meanwhile, you can get past CSP issues by the solution in this comment. In case the link becomes stale for whatever reason, run the below before angular loads:

globalThis.regeneratorRuntime = undefined;

I have a beforeAngular.js that I load with a script tag from index.html in head.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jkroepke @adamdport @ColinT @maxime1992 @loremaps