You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This library uses eval("(-1).toFixed(-1);") to trigger an exception and determine the browser from the exception message length.
What's the problem? Most secure web apps have a Content Security Policy (CSP) that prevents eval. Indeed, at many big corporations, such as GitHub and Microsoft, CSPs that prevent eval is required. Try it now in your browser: hit F12 and in the console, paste eval("(-1).toFixed(-1);") - you'll see GitHub prevents it:
Looking at the code closer, the real exception is calling toFixed(-1). And this library is using the exception message length to determine the browser. It's not at all clear why eval is needed at all. Is it?
The text was updated successfully, but these errors were encountered:
Is
evalstrictly necessary in this library?This library uses eval("(-1).toFixed(-1);") to trigger an exception and determine the browser from the exception message length.
What's the problem? Most secure web apps have a Content Security Policy (CSP) that prevents
eval. Indeed, at many big corporations, such as GitHub and Microsoft, CSPs that prevent eval is required. Try it now in your browser: hit F12 and in the console, pasteeval("(-1).toFixed(-1);")- you'll see GitHub prevents it:Looking at the code closer, the real exception is calling toFixed(-1). And this library is using the exception message length to determine the browser. It's not at all clear why
evalis needed at all. Is it?The text was updated successfully, but these errors were encountered: