Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

d3js blocked by Content-Security-Policy

See original GitHub issue

When the server sends a restrictive Content-Security-Policy header,

Content-Security-Policy: default-src 'self'; script-src 'self'; img-src 'self'

the following error comes up in Firefox:

Content Security Policy: The page's settings blocked the loading of a resource: An attempt to call JavaScript from a string (by calling a function like eval) has been blocked

and a similar to that of Chrome:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".

The culprit is the following code, where a Function object is being created:

    dsv.parse = function(text, f) {
      var o;
      return dsv.parseRows(text, function(row, i) {
        if (o) return o(row, i - 1);
        var a = new Function("d", "return {" + row.map(function(name, i) {
          return JSON.stringify(name) + ": d[" + i + "]";
        }).join(",") + "}");
        o = f ? function(row, i) {
          return f(a(row), i);
        } : a;
      });
    };

The following replacement looks sensible to me, am I missing something?

    dsv.parse = function(text, f) {
      var o;
      return dsv.parseRows(text, function(row, i) {
        if (o) return o(row, i - 1);
        var a = function(d) {
          var r = {};
          row.forEach(function(name, i) {
            r[name] = d[i];
          });
          return r;
        };
        o = f ? function(row, i) {
          return f(a(row), i);
        } : a;
      });
    };

Best regards, uu1101.

– edit: fixed code

Issue Analytics

State:
Created 9 years ago
Comments:13 (8 by maintainers)

Top GitHub Comments

1reaction

currancommented, Nov 5, 2022

0reactions

sabatalecommented, Nov 4, 2022

Unfortunately this is still an issue for most companies with a CSP policy, I got this one today:

function objectConverter(columns) {
--
8057 | return new Function("d", "return {" + columns.map(function(name, i) {
8058 | return JSON.stringify(name) + ": d[" + i + "] \|\| \"\"";
8059 | }).join(",") + "}");
8060 | }

Top Results From Across the Web

How to fix 'because it violates the following content security ...

'because it violates the following content security policy directive' is a browser error message that occurs when Content Security Policy is blocking a ......

Content Security Policy (CSP) - AppSec Monkey

Content Security Policy is an outstanding browser security feature that can prevent XSS (Cross-Site Scripting) attacks. It also obsoletes the ...

Chrome Extension "Refused to load the script because it ...

Google Chrome has CSP (Content Security Policy), which means chrome extensions don't allow the external script. If you are using the vue cdn ......

blocked:csp Understanding why CSP blocks resources

You may be seeing blocked:csp in Chrome developer tools when the browser ... CSP stands for Content Security Policy, and it is a...

A novel policy-based XSS defense mechanism for browsers

Index Terms—Cross-site scripting attacks, content security policy, origin confinement, ... can block more XSS attacks, whereas it may introduce.