CSP (Content Security Policy) rules are blocking react-virtualized execution

[goldoraf]

Hi!

When CSP rules are enforced by the server, react-virtualized is blocked because of the use of eval by the interval-tree-1d dependency, and its own dep binary-search-bounds. This issue may impact a larger and larger number of users in the future. I understand this dependency is used for performance reasons, and I'm afraid I haven't any replacement solution for this, but I wanted to discuss the issue with you, and see if we could manage to find a solution. Any thoughts?

[bvaughn]

Hey @goldoraf,

Thanks for bringing this to my attention. We should file an issue with binary-search-bounds I think. Would you be willing to do that?

[bvaughn]

In the meanwhile, unless you're using the Masonry component, you don't actually need or use this dependency. If your build system is pulling it in- you can work around this using a deep import.

// Rather than...
import { List } from 'react-virtualized'

// You could do...
import List from 'react-virtualized/dist/commonjs/List'

This will also likely help with your bundle size slightly.

I've been meaning to write up a section of the docs about this.

[bvaughn]

I've reported this issue to the owner of the packages in question. For the time being, I'll inline the packages with a fix to avoid the unnecessary dynamic code generation.

[bvaughn]

Upstream issue submitted @ mikolalysenko/binary-search-bounds/issues/5
Fix submitted @ mikolalysenko/binary-search-bounds/pull/6

[bvaughn]

Fixed with e7337fb. Will be released shortly with 9.6.0

[goldoraf]

Wow, you're fast 😄 Thanks a lot for this, and for your great lib in general!

[bvaughn]

You're welcome 👍 And thank you

[bvaughn]

9.6.0 release just went out with this.