Hi!
Have a situation, where we are improving security headers to our app, and noticed an interesting situation:
if I add the following policy:
import { BrowserPolicy } from 'meteor/browser-policy-common';
import { Meteor } from 'meteor/meteor';
Meteor.startup(() => {
BrowserPolicy.content.disallowEval();
});
It prevents usage of $where on our Meteor collections client-side, like:
Collection.find({ $where: 'this.a > this.b' }).fetch()
Of course, we can achieve the same effect as above on the client side by refactoring to this:
Collection.find().fetch().filter(item => item.a > item.b)
But since we have a convention, of using a helper to construct the same query both client-side and server-side for a reliable result, that would ensure a lot of refactoring and poorer code quality IMO. Also find it peculiar, that Meteor.Collection would be shipped with such a vulnerability if the BrowserPolicy is correct. Does anyone have experience with this and can weigh in? Thanks!