-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Undefined handlers cause error when unsafe-eval is restricted by the CSP header #49
Comments
Explanation: Possible Fix:
Current Options:
OnBegin="noop" Option 2) Replace Function.apply so that the eval is not possible. Inspired by this blog post.
|
@KarsonAlford I completely agree and cannot understand why eval is used even in cases where there's nothing to evaluate. Please @mkArtakMSFT, @javiercn reconsider your stance on this. There's no need to depreciate existing features as was described previously in order to support the avoidance of eval. |
I tried applying the changes in #48 to my copy, but i still get CSP violation.. Its getting past the if (!code) return function() { return null; }; check. |
Can you post your example? This fix is to stop empty handlers causing a CSP violation. If you are getting past !code then I assume you have something in a handler that is not a function in the DOM and therefore is being evaluated. |
Sorry l thought it was a fix for what I now know is the other bug that they
said they won’t fix. I’m trying to call a function in a .js file on
success and getting the unsafe eval csp error.
…On Fri, Jul 10, 2020 at 7:08 AM Karson Alford ***@***.***> wrote:
Can you post your example?
This fix is to stop empty handlers causing a CSP violation. If you are
getting past !code then I assume you have something in a handler that is
not a function in the DOM and therefore is being evaluated.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#49 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADMRZ3EKHYKK7WUEP4VHYSLR24HE5ANCNFSM4G77CRSA>
.
|
Hello dear, First of all, thanks to find a possible solution to this big problem, for an extremely used library in ASP.NET MVC. I can inform you that option 2 has been implemented, within which it throws the following CSP error towards the Jquery library: Stay tuned to your comments. |
See the JS that I am using below. It also prevents $.globalEval which I didn't document in my original post. I hope this helps. disableEval.js
|
Thank you very much @KarsonAlford , it worked perfect. Now to investigate other libraries that also give problems with the CSP, such as the BlockUI. |
After a few years, don't you want to think fundamentally to solve this problem? |
Undefined handlers (OnBegin, OnSuccess, etc.) cause a browser evaluation error when unsafe-eval is restricted by the CSP header.
If you modify all of the text in the handlers to functions instead of JavaScript code then those handlers that contain functions will no longer be blocked by the browser (window.stop [function] vs window.stop() [code needing evaluation]). However, the issue is that the handlers that are left blank will be blocked by the browser and cause an error.
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive:
Related to Issue #23.
The text was updated successfully, but these errors were encountered: