CSP "unsafe-eval" error because of render_sync.js use of function constructor

[christianvoigt]

Hi, me again. :)

I am using viz.js in a "web view" in VSCode (basically a browser window within the editor). Under certain conditions this leads to the following CSP error: Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'nonce-...'".

I do not want to add "unsafe-eval" to the CSP as this is not recommended. The error is caused by the following code in render_sync.js:

return new Function("body","return function "+A+'() {\n    "use strict";    return body.apply(this, arguments);\n};

I am not sure where this is coming from, but typically code like this is added by a bundler (in your case Rollup). I previously thought that this was caused by my own use of webpack, as webpack is known to cause this problem (see here and here for webpack-specific discussions).

Could you take a look at this problem?

[aduh95]

Hi! This is linked to an Emscripten option: https://github.com/emscripten-core/emscripten/blob/master/src/settings.js#L1030-L1051
As explained in the comment there, disabling this may throw errors; FYI Viz.js is using both Embind and Google Closure Compiler.

You can try to compile Viz locally with USE_CLOSURE=0 make -j and check for yourself, it may actually work. The resulting build file should be bigger in size though.

[christianvoigt]

I followed your instructions and created render_sync.js with USE_CLOSURE=0 make -j . The resulting file is 2.082 KB compared to 2.031 KB with the closure compiler. I think the missing function constructor is not causing any problems, especially because the function constructor only appeared in Viz.js v3.2.0. Did you change the Emscripten configuration in v3.2.0?

It would be great if you could use the USE_CLOSURE=0 option for compiling render_sync.js (or create a CSP-ready alternative).

(I have to use the sync version because at the moment VSCode web views are not supporting web workers.)

[aduh95]

Did you change the Emscripten configuration in v3.2.0?

Yes, Emscipten version was bumped from 1.40.0 to 2.0.7, and the closure compiler used to be disabled by default.

It would be great if you could use the USE_CLOSURE=0 option for compiling render_sync.js (or create a CSP-ready alternative).

Yes, I think that makes sense looking at the file difference: render_sync is there for users that prefer compatibility over file size anyway. I'll make changes to have closure disabled for that file.

(I have to use the sync version because at the moment VSCode web views are not supporting web workers.)

(I'm looking forward for when VSCode will update to Electron 11 or 12!)