Allow disabling eval patching #29
Conversation
There was a problem hiding this comment.
Thank you for this :)
I think it's okay to defer patching until when the SDK is created. I suppose in some way we could patch everything else beforehand.. but I don't think the complexity is worth it.
I think it is preferable to still create the Signals object beforehand, but to only set up the patching in a deferred way, what do you think? As we collect behavioral signals (e.g. mouse movement data), and some sites may only create a SDK instance just in time 🤔).
One change I would propose is adding a boolean to the Signals struct somewhere that indicates this setting is true. To save on some bytes we usually use some short name, so something like dep for disableEvalPatching could work. I think we can set that value in getSignals
src/sdk/options.ts
Outdated
| const m: HTMLMetaElement | null = document.querySelector(`meta[name="frc-disable-eval-patching"]`); | ||
| if (!m) return false; | ||
|
|
||
| return m.content === "true"; |
There was a problem hiding this comment.
I would consider return !!m.content (so any truthy value is enabled) 🤔
There was a problem hiding this comment.
I initially only checked if the element was present at all, but I thought some users might set it to false and expect it to be enabled 🤔 !!"false" is still evaluates to true ...
I'm happy to change it anyway, this is just why I decided to explicitly check for true.
There was a problem hiding this comment.
It's tricky.. In HTML often even an empty attribute is truthy 😰
Like <button disabled> I think is equivalent to <button disabled="">.. I'm not sure what the least "surprising" approach is
There was a problem hiding this comment.
I did some research but didn't find anything specific to meta tags. You are right that the presence of an attribute usually means it's true: If an HTML tag contains a boolean attribute — no matter the value of that attribute — the attribute is set to true on that element. (MDM)
So I think changing it to !!m.content is the right thing.
Co-authored-by: Guido Zuidhof <me@guido.io>
Co-authored-by: Guido Zuidhof <me@guido.io>
This adds an option to
FriendlyCaptchaSDKthat allows users to disable the patching ofwindow.evalwhich happens to break some websites. Users that use thesite.jsversion can create afrc-disable-eval-patchingmeta tag similar to thefrc-api-endpointmeta tag for configuring the API endpoint.To make this possible we had to defer the patching until the SDK is created. I believe this is fine because we tell users to create one global SDK instance.
We considered two other options for the configuration in the
site.jsversion:<script src="site.js?disableEvalPatching=1">), the downside is that users would have to put it on both the compat and non-compat script tag.script data-disable-eval-patching="1" src="site.js" />), same downside as above and in the module version `import.meta´ doesn't expose the dataset of the script element directly.