-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Content Security Poilicy] Filtering in x-data-grid broken after update to v6.10.1 due to eval #9771
Comments
@romgrk How about making the use of |
Yeah, I totally forgot that eval might be a problem for CSP 🙃 |
|
I'll check if we can feature-detect @peterhirn 300KB seems excessive for what we do with |
Yes, I'm sure. Changing WARN ../../.yarn/virtual/@mui-x-data-grid-virtual-e60fa12330/0/cache/@mui-x-data-grid-npm-6.10.1-a169528a91-7ae6335b82.zip/node_modules/@mui/x-data-grid/hooks/features/filter/gridFilterUtils.js (171:21) Use of eval in "../../.yarn/virtual/@mui-x-data-grid-virtual-e60fa12330/0/cache/@mui-x-data-grid-npm-6.10.1-a169528a91-7ae6335b82.zip/node_modules/@mui/x-data-grid/hooks/features/filter/gridFilterUtils.js" is strongly discouraged as it poses security risks and may cause issues with minification. I don't feel like creating a minimal reproduction of this issue. Project setup: |
@peterhirn I had a quick look. It seems to be because Terser (used by Vite) can no longer minify function names as Edit: Ah no, I'm wrong. Vite uses esbuild to minify now. https://esbuild.github.io/api/#minify-considerations @romgrk maybe we should hide the eval call to code analyzer tools? using something like esbuild docs encourage to use https://esbuild.github.io/content-types/#direct-eval: // Indirect eval (has no effect on the surrounding code)
let result = (0, eval)(something) would this work? It would isolate the expression from the global scope. |
It's a bit different, I think we can work around that by adding another real closure around and passing arguments instead of closure values. Let's move the discussion to #10056. |
Versions 6.10.1 use eval, which causes problems with CSP and minification: mui/mui-x#9771 mui/mui-x#10056
Steps to reproduce 🕹
Steps:
Current behavior 😯
filters are not applied and console shows errors that eval expressions have been blocked due to content-security-policy.
Expected behavior 🤔
filters should work without having to enable unsafe-eval CSP header.
Context 🔦
I report this as a bug, since I consider it a breaking change in a patch version update. The same content-security-policy works fine with v6.10.0
The change has most likely been introduced in #9635 and can easily be worked around by including content-security-policy header script-src: 'unsafe-eval'. But I do not consider it safe to do so.
Hence my question: Is there another way of enabling eval expressions just for this script instead of globally?
Also, please update you changelog to warn others about this change.
A bit related to:
Your environment 🌎
Firefox and chrome are affected, I did not test any other browser.
Order ID or Support key 💳 (optional)
No response
The text was updated successfully, but these errors were encountered: