-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't use with Content Security Policy #510
Comments
Hey @ekilah ! Thanks for reporting this. I'm sorry to hear about this problem. I would like to help you on this but I'm not sure if I can. Even if we fix I would be happy to solve this on the I'm keeping this open for awhile if you or someone else knows how to tackle that part, but until then I cannot do much. My apologizes again |
@diegomura thanks for the reply. I agree, if it can't be fixed completely for my use-case, there's not much point beyond having a little more confidence in the dependencies from a security standpoint.
|
Yes, you are right about where those |
made an issue over at |
Hi Team, We have also used the same @react-pdf/renderer package but getting the CSP issue in the chrome browser, is anybody has any update on this or any workaround? Thanks & Regards, |
Hi @AgarwalShyam and @ekilah, |
Is there any solution for that? Unfortunately adding |
I get the 'unsafe-eval' error as well. I successfully integrated all forks, but finally I got the yoga lib error too. |
Any updates on this? |
Any updates on this? having Security Error: blob popping up and I assume it's with the Content-Security Policy but can't find a way to solve it. Thanks all ; ) |
For those asking for updates, I can only say that we chose not to use Feel free to try and make more noise on this issue, which blocks fixing this for We're using a different tech stack, outside of the React realm, to create PDFs for now. |
Is there no update for this? |
Someone posted on Stackoverflow about an alternative library: |
We are still having the issue guys,
It's clearly written
You must give the option to add our own |
@diegomura Is this issue being priortized, as it's open since long? |
Yeah, unsafe-eval is a big bummer :( |
You already know the challenge is this issue |
Would be great to see a way to resolve this without unsafe-eval! If someone has a way to do this in mind, perhaps describe it in an issue and it can be contributed? |
IMO, the best way forward is still to port yoga off of nbind and towards something else, probably embind. But for that to happen you have to have a good way to maintain the thing - either upstreaming it to yoga (I don't know how active it is nowadays) or fork it and maintain that. Or maybe there already is a working fork? I did the porting part few years ago, but do not have time to bring it up to date, nor maintain it. The port itself is not the problem - that took maybe two days. The maintenance is. |
New development by @shuding: https://github.com/shuding/yoga-wasm-web Yoga ported to wasm. Used by vercel, which might help on the maintenance front. I don't know if the bindings are compatible with official yoga build, but it's worth a look. Now it's matter of figuring out, how to use this library in react-pdf. Main difference is that instantiation of wasm is async, so you need to somehow inject it to all the right places, which right now import it directly. I did all this for previous version, but I don't think that any of this is still portable to current react-pdf and it was always hacky anyway. |
it should be fixed in the next release
|
That's fantastic news! Looking forward to the next release! Thanks jeetiss! |
Thank you so much for prioritising this fix ❤️❤️🥳🥳💯💯 |
I'm using "wasm-unsafe-eval" instead "unsafe-eval" temporarily until "yoga-layout" dependency be resolved, but I'm unsure if it's safe to be used. |
Hi there, I'm still facing the issue with latest version. Have anyone found any solution without using wasm-unsafe-eval? |
any news about this? |
I'm curious to know if someone succeeded in patching this package to use a |
Describe the bug
Our site has a Content Security Policy preventing
eval()
from being used. Several dependencies of this project useeval()
, here are PRs where people have tried to fix this there unsuccessfully:fontkit
: foliojs/fontkit#180restructure
: foliojs/restructure#29yoga-layout
: (see below)One guy has forked those two ( https://github.com/Hopding/fontkit and https://github.com/Hopding/restructure , @Hopding ) to fix these issues because it seems like the maintainer of the originals is somewhat unresponsive to this issue.
I was able to work around this by replacing this repo's dependencies with @Hopding's forks, for instance:
the above is the result of a manual process to link to the fork's product because of a bug in
yarn
(see yarnpkg/yarn#5235 ), something like"restructure": "https://github.com/Hopding/restructure#8af8c49f3a63681d90554be1600d1b381ff9114d"
should work in theory.However, it looks like after doing that, there is another dependency here that uses
eval
, and this time it'syoga-layout-prebuilt
(a wrapper aroundyoga-layout
). I can't seem to find any forks or issues on either of those repos that attempt to remove theeval
there. Seems like a large repo, so I've hit a bit of a wall towards solving this myself.error message for reference:
if I add
unsafe-eval
in my CSP, everything works.Note: I know these are issues in dependencies, and not in this repo itself, but:
To Reproduce
Have a CSP that is restrictive of
script-src
, i.e.:and then try to include this project.
Expected behavior
I can avoid using
unsafe-eval
and use this projectDesktop (please complete the following information):
1.4.0
The text was updated successfully, but these errors were encountered: