ngx-extended-pdf-viewer: Unsafe eval causes strict csp contexts to be served es5 bundles (then error due to unsafe eval in that compilation)
Describe the bug In the following function:
The unsafe Function() call is made to determine whether or not a browser supports the null safe navigator, however when run with a content security policy that bans unsafe-eval, this method throws an error (but not the expected one), which means that it incorrectly assumes that the browser doesn’t support null safe navigation, therefore loading the es5 implementation. The es5 implementation also has unsafe usage of Function (in Function("r", "regeneratorRuntime = r")(runtime); ) causing browsers to fail to run the worker.
Version info
- 9.0.0-alpha.4
Desktop (please complete the following information):
- Chrome, but this will affect all evergreen browsers
To Reproduce This isn’t easy to reproduce unfortunately as you need to be serving from a server that can set CSP headers
Additional context Relates to #687
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 20 (9 by maintainers)
Commits related to this issue
- stephanrauh/ngx-extended-pdf-viewer#740 added CSP to the showcase to avoid regressions — committed to stephanrauh/extended-pdf-viewer-showcase by stephanrauh 3 years ago
- #740 support for CSP — committed to stephanrauh/ngx-extended-pdf-viewer by stephanrauh 3 years ago
Hah yea turning on strict CSP can be a bit of an eye opener.
And yep, I can confirm beta 5 works perfectly for my application 🎉 thanks!
Yea I had a dig around to see if there was any later ES2020 feature added that is more easily detected, but came up empty handed. It seems like a reasonable enough compromise to be able to support clients that ban unsafe js eval, which I would hope would be more than 0.4% of users!
Currently there’s no server-side computation. But I’d like to add server-side stuff. Comments, visitor counter, and - high on my wish list! - server-side rendering.
Yea the
<meta>bit should just go in the<head>of yourindex.html, I don’t think Apache config could interfere.Is there a good reason not to use github pages for pdfviewer.net ? Does it do server side computation somewhere?