Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

google-protobuf struct_pb.js use unsafe-eval conflict with CSP #6770

Closed
BichengWang opened this issue Oct 15, 2019 · 2 comments
Closed

google-protobuf struct_pb.js use unsafe-eval conflict with CSP #6770

BichengWang opened this issue Oct 15, 2019 · 2 comments

Comments

@BichengWang
Copy link

Version: google-protobuf: 3.10.0
Language: Javascript
Operating system (Linux ...)

When using struct.proto's js file: struct_pb.js as a class to build Struct, the production environment give out error message as follows:

{"message":"Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: \"script-src 'self' 'unsafe-inline' https://d1a3f4spazzrp4.cloudfront.net https://d3i4yxtzktqr9n.cloudfront.net 'nonce-669066d6-d3d1-4736-a703-681c7d493d4a' https://www.google-analytics.com https://ssl.google-analytics.com maps.googleapis.com maps.google.com\".\n","source":"https:///***/client-vendor-cc1de10a77a3962aec6b.js","line":100,"col":145935,"error":{"stack":"Function at /home/***/node_modules/google-protobuf/google/protobuf/struct_pb.js:13:13\n ......   

The struct_pb.js file line 13:


var jspb = require('google-protobuf');
var goog = jspb;
var global = Function('return this')();

goog.exportSymbol('proto.google.protobuf.ListValue', null, global);
goog.exportSymbol('proto.google.protobuf.NullValue', null, global);
goog.exportSymbol('proto.google.protobuf.Struct', null, global);
goog.exportSymbol('proto.google.protobuf.Value', null, global);
goog.exportSymbol('proto.google.protobuf.Value.KindCase', null, global);

That's an unsafe_eval and cannot pass Content Security Policy-restricted environments.

@BichengWang BichengWang changed the title google-protobuf struct_pb.js use unsafe-eval conflict with google-protobuf struct_pb.js use unsafe-eval conflict with CSP Oct 15, 2019
@rhanesoghlyan
Copy link

I have the same problem

@dlj-NaN
Copy link
Contributor

dlj-NaN commented Dec 8, 2020

Even though this issue is older (and has more thumbsups!), I'm going to call it a duplicate of protocolbuffers/protobuf-javascript#25. The newer issue has a bit more context, so I think it may be a better point for collecting further discussion.

Please feel free to follow up there, and thanks for filing this issue!

@dlj-NaN dlj-NaN closed this as completed Dec 8, 2020
avm99963-gerrit pushed a commit to avm99963/infinitegforums that referenced this issue Jan 21, 2022
In order to comply with the no-unsafe-eval CSP, we worked around issue
protocolbuffers/protobuf#6770 by including a
modified version of google-protobuf under the src/third_party folder.

This CL updates the google-protobuf version to one which fixes this bug,
and removes the workaround.

Change-Id: Ida7943bad452ee930defbc136602a34910a41977
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants