Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CSP that blocks unsafe eval errors on regenerator-runtime

See original GitHub issue

Current Behavior

I’ve created a library which compiles and works fine. I can import it in my app and everything runs locally. When I deploy the app to a production environment, the app cannot load and gives an Uncaught EvalError Screen Shot 2021-01-12 at 1 51 28 PM

The app had no CSP issues prior to introducing tsdx (previously my library was bootstrapped by create-react-library)

Expected behavior

I can run an app with a library dependency bootstrapped by tsdx in an environment using a CSP

Suggested solution(s)

I’m not really sure how to fix it, but it seems like regenerator-runtime is running in strict mode but it’s not supposed to be? It looks like this might have been changed in later versions of regenerator-runtime, so maybe updating it would work?

here’s the block from regenerator-runtime that the CSP gets tripped up on (specifically the line in the catch block):

try {
  regeneratorRuntime = runtime;
} catch (accidentalStrictMode) {
  // This module should not be running in strict mode, so the above
  // assignment should always work unless something is misconfigured. Just
  // in case runtime.js accidentally runs in strict mode, we can escape
  // strict mode using a global Function call. This could conceivably fail
  // if a Content Security Policy forbids using Function, but in that case
  // the proper solution is to fix the accidental strict mode problem. If
  // you've misconfigured your bundler to force strict mode and applied a
  // CSP to forbid Function, and you're not willing to fix either of those
  // problems, please detail your unique predicament in a GitHub issue.
  Function("r", "regeneratorRuntime = r")(runtime);
}

Additional context

Here are some related(?) issues that were all I could really find when searching this https://github.com/facebook/regenerator/issues/336 https://github.com/babel/babel/issues/12106 https://github.com/indico/react-overridable/issues/2 mozilla/pdf.js#11036

Your environment

System:
    OS: macOS Mojave 10.14.6
    CPU: (8) x64 Intel(R) Core(TM) i7-4770HQ CPU @ 2.20GHz
    Memory: 201.23 MB / 16.00 GB
    Shell: 3.2.57 - /bin/bash
  Binaries:
    Node: 14.15.1 - /usr/local/bin/node
    Yarn: 1.22.10 - /usr/local/bin/yarn
    npm: 6.14.8 - /usr/local/bin/npm
  Browsers:
    Safari: 14.0.2
  npmPackages:
    tsdx: ^0.14.1 => 0.14.1 
    typescript: ^3.7.5 => 3.9.7 
  npmGlobalPackages:
    typescript: 3.1.6

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:7

github_iconTop GitHub Comments

1reaction
AndrewCraswellcommented, Jan 20, 2021

I think this is where I’m getting stuck: https://github.com/formium/tsdx/issues/169

Is there a way to disable the auto injection of the regenerator-runtime? Seems this was included not too long ago. I generally prefer the consumer to be able to control which polyfills are bundled to avoid the duplication hell that causes these exact sort of pitfalls. Another approach I’ve seen is to include polyfills in the CJS bundle, but not in the ESM.

1reaction
rbrewingtoncommented, Jan 13, 2021

Thank you for the advice. Unfortunately I have to support IE11 and pinning the regenerator runtime also sounds like a potential security concern. I had tried the rollup config approach, but had the path to the strict option wrong. I’ll try that.

Hopefully the regenerator team can find a way to fix this. For anyone else experiencing this, I’m following this open issue to see if they do: https://github.com/facebook/regenerator/issues/378

ETA: Alas… the rollup configuration prevented ‘use strict’ from being added by my library, but the app that is using the library is built with CRA and I believe it added ‘use strict’ when I compiled the app. In any case, my app is still violating the secure CSP.

If anyone knows how to disable ‘use strict’ in CRA please let me know.

Read more comments on GitHub >

github_iconTop Results From Across the Web

CSP that blocks unsafe eval errors on regenerator-runtime #954
Current Behavior I've created a library which compiles and works fine. I can import it in my app and everything runs locally.
Read more >
dealing with unsafe-eval and regeneratorruntime
It seems to be a polyfill for async / await and generator functions to ES5. Still, the name's catchy, so when I ran...
Read more >
javascript - Webpack Babel Function("r", "regeneratorRuntime ...
If I load the appropriate page, I am getting the following error: Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe...
Read more >
Adding 'self', 'unsafe-inline' and 'unsafe-eval' in manifest file of ...
In my app.js, there are two code blocks that generate CSP problems. try { // This works if eval is allowed (see CSP)...
Read more >
ngCsp - API Manual
If you do not provide ngCsp then Angular tries to autodetect if CSP is blocking unsafe-eval and automatically deactivates this feature in the...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Wrong typings generated when importing types from a package in a Rush monorepo (PNPM hard links)

Next page

Typings problems in rush monorepo (pnpm hard links)