Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: remove 'unsafe-eval' from CSP, closes #126 #299

Closed
wants to merge 3 commits into from

Conversation

kyranjamie
Copy link
Collaborator

@kyranjamie kyranjamie commented Oct 27, 2020

Download the latest builds [4.0.0-beta.6].

An unfortunate style of fix, but it works.

As described in #126, the use of Function as a constructor, used by ajv --> conf --> electron-store, resulted in the CSP requiring the unsafe-eval directive.

At first, I tried replacing the electron-store library with an alternative, though sadly none work that well. This is the most popular lib.

As we're not using the schema validation features of the library, I was able to prevent the library being bundled with webpack.IgnorePlugin and create an alias to a stub file with the same methods that are called, to avoid any runtime errors.


⚠️ This breaks production wasm code

@agraebe found that this PR breaks wallet creation, as an error is thrown trying to use argon2.wasm, as wasm isn't allowed without unsafe-eval. Apparently there'll be a wasm-eval, but this isn't in the spec yet.

I've tried using argon2 node library and communicating to main process with ipc features of Electron. This seems like the most sensible solution. The library works and I tried a poc implementation. However, owing to the multi-environment build set up, it tries to rebuild the binaries and errors out in the process 🤷


✅   Workaround complete

The solution I landed on was to use the same argon2 "browser" library, just in node. It's called a browser lib as that's its intention, but really it's just an argon2 wasm lib. So it runs fine in node, too. It's slightly slower than the argon2-node lib, but circumvents all the build issues.

@timstackblock note the argon2 change only affects code that involves deriving the encryption key from a password, so:

  1. When setting a password
  2. When decrypting mnemonic to make a transfer

Though the CSP may have wider consequences I'm unaware of


❌   ipc communication broken in production

Reported here #312 It turns out the the ipcMain.on / ipcMain.handle isn't picking up the event in production-only, so the wallet hangs. Debugging why this is happening, though this in itself is a pain to do.

@kyranjamie kyranjamie requested review from hstove and aulneau October 27, 2020 13:43
@kyranjamie kyranjamie self-assigned this Oct 27, 2020
@kyranjamie kyranjamie force-pushed the fix/tighten-csp branch 3 times, most recently from fbb3831 to 19a4178 Compare October 28, 2020 14:38
@kyranjamie kyranjamie force-pushed the fix/tighten-csp branch 5 times, most recently from f7aad24 to 2c7c43e Compare October 29, 2020 12:49
@kyranjamie kyranjamie requested review from yknl and zone117x October 29, 2020 13:15
app/main.dev.ts Outdated Show resolved Hide resolved
@kyranjamie
Copy link
Collaborator Author

Closing this PR in favour of #331

@kyranjamie kyranjamie closed this Dec 2, 2020
@kyranjamie kyranjamie deleted the fix/tighten-csp branch December 4, 2020 11:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[4.0.0-beta.5] Bug: Infinite spinner when creating a new wallet, CSP PR has broken login
2 participants