-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unsafe-eval CSP issue #337
Comments
@kevinvugts I couldn’t find any usage of I’ll also implement an ESLint rule to check for |
Based on this issue -> emscripten-core/emscripten#20994, passing Update: This approach does not resolve the problem, as DYNAMIC_EXECUTION is already disabled in the core player (see https://github.com/LottieFiles/dotlottie-rs/blob/main/Makefile#L263) 🤔 |
@kevinvugts One potential solution to consider is using The |
Thank you so much for getting back to me. However, may I ask why the there are references to eval? This is a potential security hazard and shouldn't be present in a core library of LottieFiles in my opinion. CSP policies nowadays prevent these type of attacks by disabling them. And I don't feel comfortable enabling these inline scripts to be able to be executed. What is your view on this? |
@kevinvugts, This issue arises from the generated code by the Emscripten library, which compiles our core dotLottie Rust player and handles the WebAssembly and JS-binding "glue" code. It’s a common issue, as discussed here: WebAssembly/content-security-policy#7. You might find success using |
Hi @theashraf I think this would work for now. Isn't there another way to compile your core library? As this might open a lot of security risks to all users that use this native library of Lottie. :( |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. |
Overview
Dear,
I am concerned about the @lottiefiles/dotlottie-react library since it makes use of unsafe-eval. I have to enabled it to make the Lottie file work but I am doubting if this is the way to go.
Could you guys elaborate more on this security topic?
The text was updated successfully, but these errors were encountered: