question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Not compatible with strict CSP due to `new Function(..)` in property-expr

See original GitHub issue

Hi, I just wanted to highlight that this library doesn’t work with content security policies where unsafe-eval is not allowed. This is because the property-expr module compiles functions for property access. See https://github.com/jquense/expr/issues/1 by @harriha.

I suppose the function compilation gives a performance boost, but for me it’s more important to have as strict a CSP as possible. I’m not sure whether this should be fixed in https://github.com/jquense/expr/ or whether that dependency should be dropped from yup itself.

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Reactions:1
  • Comments:7 (3 by maintainers)

github_iconTop GitHub Comments

2reactions
ctretyakcommented, Nov 17, 2019

It generates too much reports. We need solution or merge this PR

1reaction
novemberborncommented, Oct 18, 2017

Cool, I hear ya 😄

Unfortunately I’m leaving this project tomorrow, so until I need to use yup next I won’t have the time to work on this either. But I’m glad we’re clear on an approach so that somebody can pick this up.

Thanks for yup!

Read more comments on GitHub >

github_iconTop Results From Across the Web

Strict CSP - Content Security Policy
Strict CSP. Content Security Policy can help protect your application from XSS, but in order for it to be effective you need to...
Read more >
Mitigate cross-site scripting (XSS) with a strict Content Security ...
Learn how to deploy a CSP based on script nonces or hashes as a defense-in-depth against cross-site scripting.
Read more >
Tricks or overrides to make ExtJS application strict CSP ...
Do you have any tricks or overrides to make your ExtJS application strict CSP compatible ? The first culprit is the following code, ......
Read more >
CSP: script-src - HTTP - MDN Web Docs - Mozilla
The HTTP Content-Security-Policy (CSP) script-src directive specifies valid sources for JavaScript. This includes not only URLs loaded ...
Read more >
strict-dynamic in CSP - Content Security Policy
The key super power of strict-dynamic is that it will allow /script-loader.js to load additional scripts via non-"parser-inserted" script elements. So how do ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found