Botframework-webchat: webchat.js - doesGlobalFileReaderExist causes EvalError when Content Security Policy is set

@stevengum is this one fixed in latest version of DLJS + BFStreaming?

@silverbulletgt this is an issue from our dependencies (botframework-streaming), I am pinging them to see if they have fixed the issue or not.

Some investigations with @Zerryth:

• This PR should have removed the code, https://github.com/microsoft/botbuilder-js/pull/2752
  
  
  
  • Shipped as 4.10.0
  
  
• DLJS 0.13.1 is using BFStreaming 4.10.3
• Web Chat 4.10.1 is using DLJS 0.13.1

So, Web Chat >= 4.10.1 should have it fixed.

We still need to extract the ZIP file from @silverbulletgt and see how it repro.

@compulim and @Zerryth, where are we on this? Could you send an update please?

@compulim any updates on this issue?

@stevkan or someone on the support team can you verify that is resolved in latest version of Web Chat?

@tdurnford, I am able to repro the issue, using the current version of Web Chat, v4.13.0.

Thanks for the repro. Added it to dev discussions

@stevengum @compulim my investigations so far, as I'm OOF and handing this over:

So I was not able to successfully reproduce the issue, however I also wasn't able to repro it the exact way I wanted either--something's wrong with Bot Services :(

But that being said, I was able to successfully have a bot that already exists (the streaming bot) successfully chat

Why I can't reproduce it with a fresh, new bot -- Bot Services issues abound

There are some weird issue happening with Bot Services--it appears to be down, therefore I cannot access Channels > Direct Line > get secret for any new bots. Nor could I provision any new bots :(

trying to get secret from BCR > Channels

• "dev.botframework.com took too long to response"

trying to create a new bot -- need any DL secret

• Can't reach Bot Services

So I'm working with the one secret I have stored (the streaming bot I made).

My Repro so far.

1. Follow @silverbulletgt's instructions for 1 - 3.
   

1. Edit OG's given html file to fetch a "real" token instead of passing "TestToken"

<!DOCTYPE html>
<html>
   <body>
      <div id="webchat" role="main"></div>
      <script src="https://cdn.botframework.com/botframework-webchat/latest/webchat.js"></script>
      <script>

         // Set style options.
         const styleOptions = {
            botAvatarInitials: 'BF',
            userAvatarInitials: 'WC'
         };

         //trying to apply fix for issue: https://github.com/microsoft/BotFramework-WebChat/issues/3393
         //which does not resolve this issue
         const styleNonce = "testNonce";

       (async function() {
        const res = await fetch('https://directline.botframework.com/v3/directline/tokens/generate', { method: 'POST', headers:{'Authorization':'Bearer IVOl9nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxs6i_FtiM'} });
        const { token } = await res.json();

         window.WebChat.renderWebChat(
            {
               directLine: window.WebChat.createDirectLine({
                  token: token
               }),
               userID: 'YOUR_USER_ID',
               username: 'Web Chat User',
               locale: 'en-US',
               styleOptions,
               styleNonce
            },
            document.getElementById('webchat')
         );

         document.querySelector('#webchat > *').focus();
         })().catch(err => console.error(err));
      </script>
   </body>
</html>

1. Navigate to inetpub/wwwroot/webchat.html => success
   

Also note: for anyone looking at the HTML, please be sure to add a token server in your production code, rather than putting the Direct Line secret into the HTML like I had done for testing

@compulim I'm working with @stevkan and @Zerryth to unpack this.

They were unable to repro the unsafe-eval CSP violation using latest and 4.13.0 via the CDN. @stevekan is building WC locally and attempting a another repro.

@silverbulletgt can you bump your version of Web Chat to 4.12.0 or greater? I've checked that version on the CDN and the problematic unsafe-eval code from botframework-streaming was not found there.

@compulim when inspecting 4.11.0 and 4.10.1 on the CDN, I was able to find the problematic doesGlobalFileReaderExist function that was removed from [email protected].

As @Zerryth found earlier, everything looks correct, but it's unclear as to why 4.10.1 and 4.11.0 of Web Chat still use the unsafe eval code.

Some investigations with @Zerryth:

• This PR should have removed the code, microsoft/botbuilder-js#2752

  • Shipped as 4.10.0
• DLJS 0.13.1 is using BFStreaming 4.10.3
• Web Chat 4.10.1 is using DLJS 0.13.1

So, Web Chat >= 4.10.1 should have it fixed.

We still need to extract the ZIP file from @silverbulletgt and see how it repro.

@silverbulletgt, I’m closing this issue for now as the CSP violation via the unsafe-eval error has been verified fixed in later versions of Web Chat (starting with 4.12.0).

Please bump the version of Web Chat being used in your front end to pick up this fix. If you still run into the same CSP violations with a version equal to or greater than 4.12.0, please file a new issue.