Usage of DOMPurify requires "unsafe-eval" CSP since 1.0.0

As described in the CSP spec, using Function(...) with a string requires the "unsafe-eval" CSP rule.

This is now the case with the implementation of getGlobal:

Lines 5 to 8 in 6185fe5

    
           function getGlobal() { 
        
             // eslint-disable-next-line no-new-func 
        
             return Function('return this')(); 
        
           }

I'm not sure why this pattern is used here. I guess you want to be sure to get the global object.

Do you think you can release a CSP compliant version of DOMPurify, which just returns window?

@tdeekens

Good point, can we work around that @tdeekens?

As far as I remember it was needed to either get the node.global or the window. Suggestions welcome.

Not sure if moving to https://github.com/purposeindustries/window-or-global/blob/master/lib/index.js would solve the issue while still be working.

It would for sure not cause CSP warnings :D

The problem with the library is that this will be rewritten to undefined using rollup (https://github.com/rollup/rollup/wiki/Troubleshooting#this-is-undefined). I am not really sure what the "semantics" behind the idea for "root" at say

DOMPurify/src/purify.js

Lines 1 to 12 in a992d3a

    
           ;(function(factory) { 
        
               'use strict'; 
        
               /* global window: false, define: false, module: false */ 
        
               var root = typeof window === 'undefined' ? null : window; 
        
               if (typeof define === 'function' && define.amd) { 
        
                   define(function(){ return factory(root); }); 
        
               } else if (typeof module !== 'undefined') { 
        
                   module.exports = factory(root); 
        
               } else { 
        
                   root.DOMPurify = factory(root); 
        
               }

which is where the factory was used and interacted with which we can't do now as we bundle the library up.

Check #250

Build is green. I guess it's time for 1.0.2 after all.

Thanks again for the quick solution :-).

You're welcome. I hope the solution covers all our use cases of consumers.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Usage of DOMPurify requires "unsafe-eval" CSP since 1.0.0 #249

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Participants

	function getGlobal() {
	// eslint-disable-next-line no-new-func
	return Function('return this')();
	}

	;(function(factory) {
	'use strict';
	/* global window: false, define: false, module: false */
	var root = typeof window === 'undefined' ? null : window;

	if (typeof define === 'function' && define.amd) {
	define(function(){ return factory(root); });
	} else if (typeof module !== 'undefined') {
	module.exports = factory(root);
	} else {
	root.DOMPurify = factory(root);
	}

Usage of DOMPurify requires "unsafe-eval" CSP since 1.0.0 #249

Description

Activity

cure53 commented on Aug 22, 2017

tdeekens commented on Aug 22, 2017

tdeekens commented on Aug 22, 2017

cure53 commented on Aug 22, 2017

tdeekens commented on Aug 22, 2017

tdeekens commented on Aug 22, 2017

tdeekens commented on Aug 22, 2017

frigus02 commented on Aug 22, 2017

tdeekens commented on Aug 22, 2017

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Participants

Issue actions