protobuf.js version: 6.8.6
There's a special code inside @protobufjs/inquire:
function inquire(moduleName) {
try {
var mod = eval("quire".replace(/^/,"re"))(moduleName); // eslint-disable-line no-eval
if (mod && (mod.length || Object.keys(mod).length))
return mod;
} catch (e) {} // eslint-disable-line no-empty
return null;
}
If I apply "Content-Security-Policy" without additional exceptions to allow eval than it's prohibited. Actually it's the only eval in my ~1Mb minified file.
Probably there's a way to avoid it and become CSP compliant?
UPD: I'm using minimal variant with everything inbuilt.
I have the same problem. Electron 2.0.0 now prints out a warning if the web page has no Content-Security-Policy, or if it has one but unsafe-eval is enabled.
For now, protobufjs forces us to keep unsafe-eval enabled.
From the perspective of a security engineer who deploys Content Security Policy across a large number of applications, it would be great to have this code refactored to not rely on eval(), so that it doesn't force its users to set unsafe-eval in their CSP.
If this is difficult to refactor, just making sure that this is only executed in non-browser environments would be a reasonable workaround.
How about using new Function instead of eval?
const mod = new Function("id", "return require(id)")(moduleName)
new Function() is subject to the same CSP restrictions as eval():
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_eval_expressions
I've replaced protobuf.js with https://github.com/mapbox/pbf