BrowserPolicy.content.disallowEval() still gives 'unsafe-eval'

ggerber · October 3, 2019, 8:07pm

Hi,

I am trying to secure my meteor app by enforcing a CSP (as recommended in the the ‘secure meteor’ book) and removing ‘unsafe-eval’ from script-src.

Below my server side code (localhost on my development machine), as well as the results on the client.

It appears that the line
BrowserPolicy.content.disallowEval();
does not remove ‘unsafe-eval’.

Any advice?

import {BrowserPolicy} from 'meteor/browser-policy';

BrowserPolicy.framing.disallow();
BrowserPolicy.content.disallowInlineScripts();
BrowserPolicy.content.disallowEval();
BrowserPolicy.content.disallowObject();
BrowserPolicy.content.allowImageOrigin('https://api.mapbox.com');

which gives the following result on the client:

default-src 'self';
script-src 'self' 'unsafe-eval';
connect-src * 'self';
img-src data: 'self' https://api.mapbox.com;
style-src 'self' 'unsafe-inline';
object-src 'none';

ggerber · October 8, 2019, 9:05am

Hi,

Any help would be greatly appreciated.

coagmano · October 16, 2019, 12:29am

Hey @ggerber, just noticed this went unanswered!

The unsafe-eval permission is set by the dynamic-import package, since it needs to eval the packages after they are received.

Unfortunately, it’s also currently impossible to remove dynamic-import as it’s required by both ecmascript and socket-stream-client (aka ddp-client / ddp / meteor-base).

Related issues:

If this is a hard policy requirement, you can try creating local forks of these packages, replacing the dynamic imports with static ones. Not sure what else you can try!

ggerber · October 16, 2019, 7:12am

Thank you for a great reply!

I guess ‘unsafe-eval’ does not pose a major security risk, as I don’t see the rest of the community talking much about it. From what I gather it is also an implied requirement for new versions of Meteor.

Will keep my eyes open for ways to remove ‘unsafe-eval’, while keeping dynamic-imports.

Thanks