fix: remove 'unsafe-eval' from CSP, closes #126 #299
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
An unfortunate style of fix, but it works.
As described in #126, the use of
Function
as a constructor, used byajv
-->conf
-->electron-store
, resulted in the CSP requiring theunsafe-eval
directive.At first, I tried replacing the
electron-store
library with an alternative, though sadly none work that well. This is the most popular lib.As we're not using the schema validation features of the library, I was able to prevent the library being bundled with
webpack.IgnorePlugin
and create an alias to a stub file with the same methods that are called, to avoid any runtime errors.@agraebe found that this PR breaks wallet creation, as an error is thrown trying to use
argon2.wasm
, as wasm isn't allowed withoutunsafe-eval
. Apparently there'll be awasm-eval
, but this isn't in the spec yet.I've tried using
argon2
node library and communicating to main process with ipc features of Electron. This seems like the most sensible solution. The library works and I tried a poc implementation. However, owing to the multi-environment build set up, it tries to rebuild the binaries and errors out in the process 🤷✅ Workaround completeThe solution I landed on was to use the same argon2 "browser" library, just in node. It's called a browser lib as that's its intention, but really it's just an argon2 wasm lib. So it runs fine in node, too. It's slightly slower than the argon2-node lib, but circumvents all the build issues.
@timstackblock note the argon2 change only affects code that involves deriving the encryption key from a password, so:
Though the CSP may have wider consequences I'm unaware of
❌ ipc communication broken in production
Reported here #312 It turns out the the
ipcMain.on
/ipcMain.handle
isn't picking up the event in production-only, so the wallet hangs. Debugging why this is happening, though this in itself is a pain to do.