Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable dynamic execution in WASM build to allow removal of unsafe-eval #323

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

gfodor
Copy link

@gfodor gfodor commented Sep 14, 2022

The current WASM build generates a loader that uses new Function(), which performs a Javascript eval. This is problematic if you want to use a CSP on your site that does not allow unsafe-eval - in other words, if you want to use the transcoder, you're forced to enable eval on your site, which is a security risk.

The NO_DYNAMIC_EXECUTION flag can be used to disable the dynamic execution facilities of the module, which avoids the use of eval but drops support for a few emscripten functions (https://github.com/emscripten-core/emscripten/blob/main/src/settings.js#L1256) which seem unneeded for Basis's use cases. (I may be wrong about this, so hope the PR reviewer can confirm.)

This PR enables this option which re-enables site admins to disable eval on sites which use the basis transcoder.

Thanks for considering the PR!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant