Server: Get rid of all unsafe-eval Javascripts

Created on 30 Aug 2016  路  6Comments  路  Source: nextcloud/server

Get rid of all Javascripts Blocks that are agains the unsafe-eval CSP Rule.
As example the handlebar.js.
Show how that could be possible.

enhancement help wanted security
Source
picture Serverfrog
👍10

Most helpful comment

I prefer consistency over having multiple concurrent solutions in place. Voting for 2.

picture blizzz on 11 Jun 2018
👍3

All 6 comments

Ref https://github.com/owncloud/core/issues/11925

LukasReschke picture LukasReschke on 12 Oct 2016

This seems rather hard to accomplish due to our existing JS code base. As a first step I've added a hardening to jQuery that makes the unsafe-eval in jQuery a non-issue at least: https://github.com/nextcloud/server/pull/3874

LukasReschke picture LukasReschke on 27 Mar 2017

So on my system a quick grep for handlebars compile gives me:

  • [x] apps/bruteforcesettings/js/IPWhitelistView.js (https://github.com/nextcloud/bruteforcesettings/pull/20)
  • [ ] apps/comments/js/commentsmodifymenu.js
  • [ ] apps/comments/js/commentstabview.js
  • [ ] apps/comments/js/filesplugin.js
  • [ ] apps/external/js/admin.js
  • [ ] apps/files_external/js/settings.js
  • [ ] apps/files_external/js/statusmanager.js
  • [ ] apps/files/js/detailsview.js
  • [ ] apps/files/js/fileactions.js
  • [ ] apps/files/js/fileactionsmenu.js
  • [ ] apps/files/js/filelist.js
  • [ ] apps/files/js/filesummary.js
  • [ ] apps/files/js/mainfileinfodetailview.js
  • [ ] apps/files/js/newfilemenu.js
  • [ ] apps/files/js/tagsplugin.js
  • [ ] apps/files_sharing/js/files_drop.js
  • [ ] apps/files_sharing/js/sharetabview.js
  • [ ] apps/files_versions/js/versionstabview.js
  • [ ] apps/richdocuments/js/documents.js
  • [ ] apps/systemtags/js/systemtagsinfoviewtoggleview.js
  • [ ] apps/twofactor_backupcodes/js/settingsview.js
  • [ ] apps/twofactor_u2f/js/build/settings.js
  • [ ] apps/twofactor_u2f/js/settingsview.js
  • [ ] apps/workflowengine/js/admin.js
  • [ ] core/js/contactsmenu.js
  • [ ] core/js/jquery.contactsmenu.js
  • [ ] core/js/sharedialogexpirationview.js
  • [ ] core/js/sharedialoglinkshareview.js
  • [ ] core/js/sharedialogresharerinfoview.js
  • [ ] core/js/sharedialogshareelistview.js
  • [ ] core/js/sharedialogview.js
  • [ ] core/js/systemtags/systemtagsinputfield.js
  • [ ] settings/js/authtoken_view.js
  • [ ] settings/js/federationscopemenu.js
rullzer picture rullzer on 9 Jun 2018

Now we can start doing 2 things.

  1. Add compiled handlebars templates
  2. Move this over to vue

@nextcloud/javascript your opinion is appreciated

rullzer picture rullzer on 9 Jun 2018

I prefer consistency over having multiple concurrent solutions in place. Voting for 2.

blizzz picture blizzz on 11 Jun 2018
👍3

We have a stricter CSP in place now. Let me close this.

rullzer picture rullzer on 14 Jan 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mfechner picture mfechner  路  3Comments
georgehrke picture georgehrke  路  3Comments
ChristophWurst picture ChristophWurst  路  3Comments
MorrisJobke picture MorrisJobke  路  3Comments
dl5rcw picture dl5rcw  路  3Comments