Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JS: Comply with CSP no-unsafe-eval. #8864

Merged
merged 1 commit into from
Oct 14, 2021
Merged

JS: Comply with CSP no-unsafe-eval. #8864

merged 1 commit into from
Oct 14, 2021

Conversation

marnixbouhuis
Copy link
Contributor

The current implementation uses Function('return this')() to get the global object. This does not work if you are using protobuf on the web and you disallow unsafe-eval with a CSP header.

This PR changes the way the global object is retrieved: it calls a function and sets this to the global object by calling it with .call(null). Then this is returned.
See: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/call#parameters

Note: this won't work when you are using js strict mode (use strict).
If running in strict mode, it will use different fallbacks (that work with CSP settings that disallow eval), if none work it will fall back to the current way of getting the global object.

This fixes:

@acozzette
Copy link
Member

Thanks, @marnixbouhuis.

@marnixbouhuis
Copy link
Contributor Author

Thanks for merging!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants