Replace use of eval()

[moxizhou]

We are using CSP headers and ran into an issue using this library because of the use of unsafe eval.

cesium/Source/Workers/cesiumWorkerBootstrapper.js

Line 2285 in 2fd0e8f

return eval(text);

I am wondering if there is an alternative for this?

[shunter]

This is in third-party code (requirejs) but after a quick look at the code, I'm pretty sure this code is never used in Cesium, so you could try commenting it out or removing it.

[moxizhou]

When I ran cesium, it did go through the line mentioned above, but this was a while ago. I did not know this was third-party code though, so there is no way to remove it on cesium end?

[OmarShehata]

I don't think this is something we plan on changing at the moment, this is just part of how RequireJS works.

I would recommend adding an exception to allow this use eval when running CesiumJS.

[candrews]

Is it possible that use of eval will be eliminated by #9473 ?

[mramato]

@candrews Not as a side effect. The main problem here is that (at least last time I looked) Web Workers do not support loading ES6 modules directly and you need to use an old school browser module system (like amd/requirejs) which is why this code exists. However it's probably worth looking into if that has a better alternative now. I'll add a note to the linked issue for us to take a look. Thanks for the reminder!

[alexfrigault]

Has there been any update on this issue? We are trying to use Cesium in our application but we are required to not include 'unsafe-eval' in our CSP. Simply having Cesium load in through webpack runs into this issue.

[ggetz]

@alexfrigault No updates yet. We are potentially taking a look at eliminating requireJS and therefore eval as a part of some modernization efforts in the near future.

[superFelix5000]

@ggetz any updates on this one? :)

[ggetz]

@pixelschubs Not yet. I would recommend keeping an eye on #9473. We'll post any updates there.

[boeckMt]

@ggetz are there any updates on this Issue?
Issue #9473 is closed and I don't found any helpful things there.

I'm using the packages "@cesium/engine": "^2.2.0" and "@cesium/widgets": "^2.1.1"

[ggetz]

Hi, the most recent blocker for replacing requireJS in our packaged web workers was that Firefox did not support ESM modules in workers. The good news is that issue was recently marked as resolved!

I'll re-open this issue to track updating our build system to remove RequireJS.