Ng2-pdf-viewer: CSP unsafe-eval required after release 5.2.2

Created on 5 Dec 2018  路  7Comments  路  Source: VadimDez/ng2-pdf-viewer

Bug Report or Feature Request (mark with an x)
- [ ] Regression (a behavior that used to work and stopped working in a new release)
- [x] Bug report -> please search issues before submitting
- [ ] Feature request
- [ ] Documentation issue or request

From release 5.2.2 our Content Security Policy gets violated because unsafe-eval are not allowed.
I think it might be related to this bump: d1462589175a0794d4dfc818c72076483fa34c27

image

Most helpful comment

Looks like it is going to be resolved with the next release:
mozilla/pdf.js#10387
mozilla/pdf.js#10229

All 7 comments

You may have to submit an issue to mozilla/pdf.js instead of here to make progress since this is a problem inside a dependency.

Here is the offending code:

// pdf.js:13152-13154
var g = function () {
  return this;
}() || Function("return this")();

In particular the Function constructor is probably triggering the unsafe-eval error. Although, I'm not sure why the regular function assignment before the || is not working for you. The eval should only be run if the first assignment fails (evaluates as a non-truthy value).

Try running the first half of the assignment in your inspector to see if it is an environment issue. Or try something like:

var g = function () {
  return 'apples';
}() || Function("return 'bananas'")();

and see what g returns.

Looks like it is going to be resolved with the next release:
mozilla/pdf.js#10387
mozilla/pdf.js#10229

Works with release 5.3.2

@loremaps 5.3.2 was working fine but trying to upgrade to 5.3.4 broke it again.
It's been a really painful experience to figure that out as it was happening within a lazy loaded module and the only error I had was Runtime compiler is not loaded :scream:.

Any idea why it's happening again?

@maxime1992 yes I believe you are also facing this issue: mozilla/pdf.js#11036
Which appears to be an upstream issue of a babel polyfill :unamused:

Yup thanks I commented there!

@loremaps its possible that you remove the dependency and re-add pdfjs-dist as peerDependency?
We can just downgrade the pdfjs dependencies as we need to get a rescue from this issue.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

kevinariasf picture kevinariasf  路  6Comments

jgrant95 picture jgrant95  路  6Comments

asadullazadeh picture asadullazadeh  路  4Comments

roginneil picture roginneil  路  3Comments

xyrintech picture xyrintech  路  5Comments