Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

"eval" in 2.6.3 requires the use of an unsafe-eval CSP directive

See original GitHub issue

First of all, thank you for your solution which is really great and quite incredible in terms of performance!

Feature request

Remove the use of eval (found in …Function("return this")()||(0,eval)("this")… in https://cdn.jsdelivr.net/npm/instantsearch.js@2.6.3) so that we could use a script-src directive in our Content Securities Policies that would not be forced to unsafe-eval.

Use case

I have a pretty restrictive CSP on borisschapira.com and don’t want to authorize all my third-party domains to execute eval in order to authorize Algolia Instant Search on my search page.

work to fix this (added by @haroenv)

remove or fork Hogan.js to remove the lines using new Function. I think this might be quite hard, since AFAICT, it’s what allows {{{. We could enforce template strings maybe however 🤔

https://github.com/twitter/hogan.js/blob/7e340e9e4dde8faebd1ff34e62abc1c5dd8adb55/lib/compiler.js#L293

Issue Analytics

State:
Created 5 years ago
Reactions:3
Comments:19 (13 by maintainers)

Top GitHub Comments

5reactions

borisschapiracommented, Apr 25, 2018

Just to be clear for future readers (or ourselves in several months), changing the CSP to accept the eval would mean adding unsafe-eval. In most cases, the common security recommendation is to avoid eval() at all costs, as it can be a vector for Cross-Site Scripting attacks (if you want to know more, learn about the script-src directive in a Content Security Policy).

1reaction

heiskrcommented, Dec 1, 2020

Awesome @Haroenv, nice to meet you! Thanks for the tip about aliasing, I totally forgot about it. I used webpack to alias out Hogan. I realized we’re actually not using any of the templating built in as we do all our own templates, so I made a quick shim to fill Hogan so it doesn’t error out.

I added this to our webpack config:

  resolve: {
    alias: {
      'hogan.js': path.resolve(__dirname, 'javascripts/fake-hogan.js')
    }
  }

And then my fake-hogan.js file is just:

export default {
  compile (template) {
    return {
      render (data) {
        return ''
      }
    }
  }
}

So that gets us to be able to remove unsafe-eval 🎉

While I was figuring this out, I looked briefly at some Mustache alternatives to Hogan.

	Hogan	mustache.js	micromustache	Handlebars
Size, minified non-zip	9KB	12KB	6KB	80KB
Eval	Yes	No	No	No
Interpolation	Yes	Yes	Yes	Yes
Conditionals/Loops	Yes	Yes	No	Yes
Helpers	Yes	No	No	Yes

There are some API differences as well. micromustache is very similar. mustache.js doesn’t have a compile step. Handlebars’ compile returns a function and not an object with render on it.

Top Results From Across the Web

Content Security Policy Level 3 - W3C

The 'unsafe-hashes' source expression will now allow event handlers, style attributes and javascript: navigation targets to match hashes.

An Unsafe Content Security Policy (CSP) Directive in Use

A An Unsafe Content Security Policy (CSP) Directive in Use is an attack that is similar to a Code Execution via File Upload...

ngCsp - AngularJS: API

Overview ; no-unsafe-eval tells AngularJS that we must not use eval, but that we can inject inline styles. E.g. ; <body ng-csp="no-unsafe-eval"> ....

How To Secure Node.js Applications with a Content Security ...

A CSP is an HTTP header that provides an extra layer of security against ... To use this directive, you need to add...

Content Security Policy - WSTG - Latest | OWASP Foundation

unsafe -eval directive allows eval() to be used in the application. unsafe-hashes directive allows use of inline scripts/styles, assuming they match the ...