Content Security Policy violations due to needing unsafe-eval for dbr-8.6.3.wasm.js

[bbakerati]

I am using dynamsoft-barcode-reader @8.6.3 in a web application built with React. We recently had a security audit of the application that recommended adding a stricter Content Security Policy. Due to the use of the eval function in the wasm.js file, we are unable to remove unsafe-eval from our content security policy, which the audit recommends.

Do you have a way to avoid using the wasm.js script altogether, or do you have future plans to remove the use of eval in these JavaScript files?

Here is the line where the import failure occurs when unsafe-eval is not part of the Content Security Policy:

https://github.com/Dynamsoft/javascript-barcode/blob/3f4fc90c722d324b4aa453c13d7e60bb12a25eed/dist/dbr-8.6.3.worker.js#L25

3 uses of eval in dbr-8.6.3.wasm.js:
https://github.com/Dynamsoft/javascript-barcode/blob/3f4fc90c722d324b4aa453c13d7e60bb12a25eed/dist/dbr-8.6.3.wasm.js#L78
https://github.com/Dynamsoft/javascript-barcode/blob/3f4fc90c722d324b4aa453c13d7e60bb12a25eed/dist/dbr-8.6.3.wasm.js#L120

[Keillion]

We do need to call some js function from wasm, so eval is necessary. The behavior is limited in worker, does not affect document.

So I hope one day this line can finally work: worker-src 'unsafe-eval'. Then the eval is only allowed in worker.

---

Currently,
min CSP work in React + wasm in CDN + license host by dynamsoft:

child-src blob:; 
worker-src blob:; 
connect-src https://cdn.xxx https://mlts.dynamsoft.com https://slts.dynamsoft.com; 
script-src https://cdn.xxx 'unsafe-eval'; 
img-src data: blob:; 
media-src data:;

min CSP work in helloworld.html:

child-src blob:; 
worker-src blob:; 
connect-src https://cdn.jsdelivr.net/npm/dynamsoft-javascript-barcode@8.6.3/ https://mlts.dynamsoft.com https://slts.dynamsoft.com; 
script-src https://cdn.jsdelivr.net/npm/dynamsoft-javascript-barcode@8.6.3/ 'unsafe-inline' 'unsafe-eval'; 
style-src 'unsafe-inline'; 
img-src data: blob:; 
media-src data:;

---

We are researching to split worker and dom in different scopes, so CSP control can be more specific.

[bbakerati]

OK that makes sense to me. Thanks for clarifying. We will work to apply the min CSP recommended above, and appreciate your help.