Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: replace eval with globalThis to comply with CSP policies #1232

Merged
merged 1 commit into from
Nov 21, 2024
Merged

fix: replace eval with globalThis to comply with CSP policies #1232

merged 1 commit into from
Nov 21, 2024

Conversation

eugene-stativka
Copy link
Contributor

What kind of change does this pull request introduce?

Issue:
Sandpack currently uses eval to obtain the global object, which triggers CSP unsafe-eval violations. This poses security risks and limits the ability to use Sandpack in environments with strict CSP policies.

Solution:
Replaced the eval-based approach with an IIFE that sequentially checks for globalThis, self, window, and global to securely access the global object without violating CSP policies.

Testing:
Tested in a local development environment with CSP enforced to ensure no violations occur.

Related Issue:
#1221

Checklist

  • Documentation; N/A
  • Storybook (if applicable); N/A
  • Tests;
  • Ready to be merged;

@codesandbox CodeSandbox
Copy link

codesandbox bot commented Nov 20, 2024

Review or Edit in CodeSandbox

Open the branch in Web EditorVS CodeInsiders

Open Preview

@vercel Vercel
Copy link

vercel bot commented Nov 20, 2024

@eugene-stativka is attempting to deploy a commit to the CodeSandbox Team on Vercel.

A member of the Team first needs to authorize it.

@codesandbox-ci CodeSandbox CI
Copy link

codesandbox-ci bot commented Nov 20, 2024
edited
Loading

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

CompuIves
CompuIves previously approved these changes Nov 21, 2024
View reviewed changes
@CompuIves
Copy link
Member

This PR looks very good! Could you run a Prettier format on the file? After that it should be ready to merge 👍

@vercel Vercel
Copy link

vercel bot commented Nov 21, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
sandpack-docs ✅ Ready (Inspect) Visit Preview 💬 Add feedback Nov 21, 2024 11:30am

@eugene-stativka
fix: replace eval with globalThis to comply with CSP policies
b88e31d 
**Issue:**
Sandpack currently uses `eval` to obtain the global object, which triggers CSP `unsafe-eval` violations. This poses security risks and limits the ability to use Sandpack in environments with strict CSP policies.

**Solution:**
Replaced the `eval`-based approach with an IIFE that sequentially checks for `globalThis`, `self`, `window`, and `global` to securely access the global object without violating CSP policies.

**Testing:**
- Tested in a local development environment with CSP enforced to ensure no violations occur.

**Related Issue:**
- [1221](#1221)
@eugene-stativka
Copy link
Contributor Author

This PR looks very good! Could you run a Prettier format on the file? After that it should be ready to merge 👍

Thanks, @CompuIves! I just ran Prettier and force-pushed an amended commit. Please take a look when you have time.

@CompuIves CompuIves merged commit 515488d into codesandbox:main Nov 21, 2024
6 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@CompuIves CompuIves CompuIves approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@eugene-stativka @CompuIves