Hi,
I am trying to secure my meteor app by enforcing a CSP (as recommended in the the ‘secure meteor’ book) and removing ‘unsafe-eval’ from script-src.
Below my server side code (localhost on my development machine), as well as the results on the client.
It appears that the line
BrowserPolicy.content.disallowEval();
does not remove ‘unsafe-eval’.
Any advice?
import {BrowserPolicy} from 'meteor/browser-policy';
BrowserPolicy.framing.disallow();
BrowserPolicy.content.disallowInlineScripts();
BrowserPolicy.content.disallowEval();
BrowserPolicy.content.disallowObject();
BrowserPolicy.content.allowImageOrigin('https://api.mapbox.com');
which gives the following result on the client:
default-src 'self';
script-src 'self' 'unsafe-eval';
connect-src * 'self';
img-src data: 'self' https://api.mapbox.com;
style-src 'self' 'unsafe-inline';
object-src 'none';
Hi,
Any help would be greatly appreciated.
Hey @ggerber , just noticed this went unanswered!
The unsafe-eval
permission is set by the dynamic-import
package, since it needs to eval
the packages after they are received.
Unfortunately, it’s also currently impossible to remove dynamic-import
as it’s required by both ecmascript
and socket-stream-client
(aka ddp-client
/ ddp
/ meteor-base
).
Related issues:
opened 11:16PM - 23 Sep 19 UTC
closed 10:50PM - 10 Jan 20 UTC
confirmed
On Meteor 1.8.1 this is maybe true for `browser-policy` package, but it is not r… eally true for any realistic Meteor app these days because apps use `ecmascript` which requires `dynamic-import`, which enabled `eval` by default. So in practice, by default, `eval` is enabled. See #10704.
It should be probably clarified in the README that the package by default keeps it disabled, but Meteor apps by default enable it because of `dynamic-import` and that you should remove `dynamic-import` package if you want to get it disabled (I hope that resolution of #10704 will be that one can remove `dynamic-import`).
See: https://github.com/meteor/meteor/tree/devel/packages/browser-policy
opened 11:12PM - 23 Sep 19 UTC
confirmed
Project:Webapp:Browser Policy
Project:Dynamic Import
It looks like on Meteor 1.8.1 it is not possible to disable `dynamic-import` bec… ause it is a strict dependency of `ecmascript`. This is especially problematic because `dynamic-import` forces CSP to allow `eval`. So if you want to disable `eval` you have to remove `ecmascript`?
Moreover, if one does not want to use `dynamic-import` (because it does not work with disabled `eval`), having it bundled for the client always seems unnecessary.
See here for more information: https://github.com/meteor/meteor/blob/devel/packages/dynamic-import/security.js
If this is a hard policy requirement, you can try creating local forks of these packages, replacing the dynamic imports with static ones. Not sure what else you can try!
3 Likes
Thank you for a great reply!
I guess ‘unsafe-eval’ does not pose a major security risk, as I don’t see the rest of the community talking much about it. From what I gather it is also an implied requirement for new versions of Meteor.
Will keep my eyes open for ways to remove ‘unsafe-eval’, while keeping dynamic-imports.
Thanks
2 Likes