content security policy

[likerainyday]

protobuf.js version: 6.10.1
when web open csp, protobuf.js will block with unsafe-eval.
I find problem at codegen

1. return Function.apply(null, scopeParams).apply(null, scopeValues);
2. return Function(source)();

What can I do to support CSP ?

[makabakabu]

any updates? I am facing the same issue

[alexander-fenster]

Folks, I personally have about zero experience in front-end so while I understand what "content security policy" is, I would really appreciate some more details - maybe some reproduction steps. What exactly are you trying to do that gets blocked?

[seanlangbrown]

I've investigated this and created this repl that reproduces the issue and explains it in detail.

tldr: Changing CPS is not necessary to use protobufjs. You shouldn't allow unsafe-eval because it is considered harmful. CSP causes eval() to throw an exception in inquire() that causes the warning to be logged by the browser, but it is handled by protobufjs:

protobuf.js/lib/inquire/index.js

Line 12 in da34f43

var mod = eval("quire".replace(/^/,"re"))(moduleName); // eslint-disable-line no-eval

This issue was reported as early as version 6, see #593.

However, I did find a bug while investigating this issue: inquire() can never resolve any modules when unsafe-eval is not allowed, even modules that are available. I have created #1548 to suggest that Protobufjs use a more modern method for the desired functionality of inquire(). (cc: @alexander-fenster)

[yvele]

@seanlangbrown the codegen problem is not the same problem as the eval one.

The eval problem has been reported many many times, has a PR and many workarounds.

But I'm really stuck with codegen that violates CSP because using Function:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_eval_expressions

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script

Note that I'm using protobuf with the reflection mode only.

[galangel]

still, an issue for me, using with chrome extension, V3 manifest doesn't allow unsafe-eval,
error is thrown as soon as I try to encode.

[rvzanten]

Still an issue for me as well. To bad there isnt a easy workaround for this.

[sebadob]

For anyone still having this problem, I "fix" this locally with my build script. The only downside is, that when you need to rebuild the proto files, you need to delete node_modules and basically re-install the dependencies.
You could revert the change manually as well, but this is pretty annoying and since I don't need to rebuild that often, this works fine for me.

You will not be able to rebuild the proto files with the CLI for instance after you have executed the command, but it will allow you to get rid of the unsafe-eval exception in your CSP:

sed -i 's/eval("quire".replace(\/^\/,"re"))(moduleName);/undefined;/g' node_modules/@protobufjs/inquire/index.js

All it does is to return undefined in places where the eval would be executed.
I do not use any service stuff with it and only use it in the frontend, so I am not sure if this "fix" would screw up stuff, if you use the library for RPC and things.

Edit:

Just to make things clear, you will not be able to just rebuild the proto files with each npm run for instance in local dev mode.
You need to build them manually. For instance I use

./node_modules/protobufjs-cli/bin/pbjs \
  ../backend/proto/orders.proto \
  --es6 -w es6 \
  --no-create --no-encode --no-verify --no-convert --no-delimited --no-typeurl --no-service \
  -t static-module \
  -o src/lib/protos/orders.js

Afterwards, you can execute the sed and you will not have any unsafe-eval problems anymore.

[p3v9d5ui]

Any update on this? This issue has been open for 4 years now! Being incompatible with a safe script-src CSP policy is becoming more and more unacceptable.