Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP unsafe-eval (fixed in newer pdf.js) #70

Open
Spiral1401 opened this issue Feb 4, 2020 · 9 comments
Open

CSP unsafe-eval (fixed in newer pdf.js) #70

Spiral1401 opened this issue Feb 4, 2020 · 9 comments

Comments

@Spiral1401
Copy link

Seeing this error in my application - I noticed there is a ticket asking for the problem to be posted in the pdf.js issue tracker, but it appears at this point that pdf.js has solved the issue in version 2.1.266. The version of pdf.js within ng2-pdfjs-viewer seems to be 2.2.171 (not sure if I am looking at the right place).

Is it relatively simple to update this? Looks like they host a pre-built pdf.js out there so I will give it a shot in my application the meantime.

Thank you
@Spiral1401
Copy link
Author

I realize now that 2.2.171 > 2.1.266. That's on me for focusing on the rev number. But, then, should this issue not be fixed? Any idea why I might still be seeing this?

@codehippie1
Copy link
Contributor

@Spiral1401 Have you tried trying using pdfjs directly? What are the results? Also can you try directly at PDFJS site here : https://mozilla.github.io/pdf.js/web/viewer.html

@zakhenry
Copy link

@codehippie1 the https://mozilla.github.io/pdf.js/web/viewer.html works, but that is expected as it does not have a content security policy in either the headers or the html head

@ZsuzsaPetho
Copy link

ZsuzsaPetho commented May 25, 2022
edited
Loading

PDF.js has two versions. One for all the browsers (old ones as well) and one for only newer versions. The problem is with polyfills and only the version with older browsers has it. Would it be possible to have two version from this library as well? so those who only develop for newer browsers could use the one with stricter security settings.

@dbaggott
Copy link

dbaggott commented Jul 8, 2022

@ZsuzsaPetho @Spiral1401, have either of you found a work-around that doesn't require adding unsafe-eval to CSP headers?

@dbaggott
Copy link

For anyone who comes here in the future, we switched to https://www.npmjs.com/package/ngx-extended-pdf-viewer

@anthonybriand anthonybriand mentioned this issue Dec 25, 2022
Open
@JanMann89
Copy link

Any updates or workarounds? ngx-extended-pdf-viewer unfortunately has quality issues while showing bitmaps inside the pdf that ng2-pdfjs-viewer does not have. So I would actually prefer using this package, but I will not enable unsafe-eval :-/

@lucasnguyen3979
Copy link

Any updates or workarounds? ngx-extended-pdf-viewer unfortunately has quality issues while showing bitmaps inside the pdf that ng2-pdfjs-viewer does not have. So I would actually prefer using this package, but I will not enable unsafe-eval :-/

There is no update for CSP :(

@timothyBrake
Copy link

In 2024 it's considered a no-go if you need to add unsafe-eval in CSP headers.
ANY update would be very appreciated here be bring this project in 2024. Most likely an update of pdfs would fix it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@dbaggott @zakhenry @timothyBrake @codehippie1 @lucasnguyen3979 @ZsuzsaPetho @Spiral1401 @JanMann89