Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unnecessary usage of eval requires unsafe-eval in CSP #1221

Open
1 of 2 tasks
arcticmatt opened this issue Oct 25, 2024 · 2 comments
Open
1 of 2 tasks

Unnecessary usage of eval requires unsafe-eval in CSP #1221

arcticmatt opened this issue Oct 25, 2024 · 2 comments

Comments

@arcticmatt
Copy link

Bug report

Packages affected

  • sandpack-client
  • sandpack-react

Description of the problem

This code uses eval("this"). AFAICT this is unnecessary, and we could instead do something like:

function getGlobalObject() {
  if (typeof globalThis !== "undefined") {
    // Modern standard
    return globalThis;
  } else if (typeof window !== "undefined") {
    // Browsers
    return window;
  } else if (typeof global !== "undefined") {
    // Node.js
    return global;
  } else if (typeof self !== "undefined") {
    // Web Workers
    return self;
  }
  throw new Error("Unable to locate global object.");
}

const GLOBAL = getGlobalObject();

With the current approach, if you use SandpackPreview, it will raise an error unless unsafe-eval is included in your CSP. It would be better if SandpackPreview was usable without making the CSP less safe.

@danilowoz I saw you introduced this code, curious for your thoughts here—I might be missing something about why eval("this") is used.
@Dari4sho
Copy link

Dari4sho commented Nov 11, 2024
edited
Loading

I'm currently having this problem trying to implement a library (mdx-editor - that is using this package as a dependency) inside a chrome-extension - unsafe-eval is not allowed there.

Thanks to your suggestion @arcticmatt, I monkey patched the library accordingly for my project - it works perfectly fine!
I created this gist with the patch for anyone interested in a quick access:
https://gist.github.com/Dari4sho/71d5ea6eae4d50352d4244e61ebe4c6e

@jonastreub
Copy link

We at Framer are also running into this and now thinking of maybe forking for this reason

@eugene-stativka eugene-stativka mentioned this issue Nov 20, 2024
Merged
4 tasks
CompuIves pushed a commit that referenced this issue Nov 21, 2024
@eugene-stativka
fix: replace eval with globalThis to comply with CSP policies (#1232)
515488d 
**Issue:**
Sandpack currently uses `eval` to obtain the global object, which triggers CSP `unsafe-eval` violations. This poses security risks and limits the ability to use Sandpack in environments with strict CSP policies.

**Solution:**
Replaced the `eval`-based approach with an IIFE that sequentially checks for `globalThis`, `self`, `window`, and `global` to securely access the global object without violating CSP policies.

**Testing:**
- Tested in a local development environment with CSP enforced to ensure no violations occur.

**Related Issue:**
- [1221](#1221)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jonastreub @Dari4sho @arcticmatt