Not compatible with strict CSP due to `new Function(..)` in property-expr
See original GitHub issueHi, I just wanted to highlight that this library doesn’t work with content security policies where unsafe-eval
is not allowed. This is because the property-expr
module compiles functions for property access. See https://github.com/jquense/expr/issues/1 by @harriha.
I suppose the function compilation gives a performance boost, but for me it’s more important to have as strict a CSP as possible. I’m not sure whether this should be fixed in https://github.com/jquense/expr/ or whether that dependency should be dropped from yup
itself.
Issue Analytics
- State:
- Created 6 years ago
- Reactions:1
- Comments:7 (3 by maintainers)
Top Results From Across the Web
Strict CSP - Content Security Policy
Strict CSP. Content Security Policy can help protect your application from XSS, but in order for it to be effective you need to...
Read more >Mitigate cross-site scripting (XSS) with a strict Content Security ...
Learn how to deploy a CSP based on script nonces or hashes as a defense-in-depth against cross-site scripting.
Read more >Tricks or overrides to make ExtJS application strict CSP ...
Do you have any tricks or overrides to make your ExtJS application strict CSP compatible ? The first culprit is the following code, ......
Read more >CSP: script-src - HTTP - MDN Web Docs - Mozilla
The HTTP Content-Security-Policy (CSP) script-src directive specifies valid sources for JavaScript. This includes not only URLs loaded ...
Read more >strict-dynamic in CSP - Content Security Policy
The key super power of strict-dynamic is that it will allow /script-loader.js to load additional scripts via non-"parser-inserted" script elements. So how do ......
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
It generates too much reports. We need solution or merge this PR
Cool, I hear ya 😄
Unfortunately I’m leaving this project tomorrow, so until I need to use
yup
next I won’t have the time to work on this either. But I’m glad we’re clear on an approach so that somebody can pick this up.Thanks for
yup
!