Non-eval'ing method #6

tmcw · 2015-08-12T14:55:59Z

The usage of the Function constructor in this module means that mapbox-gl-js upstream cannot satisfy the Content Security Policy unsafe-eval rule. For CSP-implementing sites, a non-eval'ing method would better.

The text was updated successfully, but these errors were encountered:

jfirebaugh · 2015-08-12T21:16:12Z

It would be possible to feature detect this and fall back to an interpreted implementation:

// Are we running under a CSP that forbids unsafe-eval?
try {
  new Function('');
  module.exports = require('./compiled'); // No; use fast eval'ing implementation
} catch (e) {
  module.exports = require('./interpreted); // Yes; use slower interpreted implementation
}

But it would be preferable not to introduce a performance variable and use a sufficiently well performing, eval-free implementation everywhere.

jfirebaugh · 2015-08-12T21:17:24Z

Feature detecting probably spams CSP violation reports though, huh?

Closes #6, closes #8, closes #10.

Closes #6, closes #10, ref #8.

jfirebaugh mentioned this issue Aug 12, 2015

Remove all uses of "new Function" and "eval" mapbox/mapbox-gl-js#559

Closed

mourner added a commit that referenced this issue Jan 29, 2016

fast eval-less filter implementation

9ba624b

Closes #6, closes #8, closes #10.

mourner mentioned this issue Jan 29, 2016

Eval-less filter implementation #11

Closed

mourner added a commit that referenced this issue Jan 29, 2016

faster and simpler filter implementation

55aecbb

Closes #6, closes #10, ref #8.

mourner closed this as completed in b4bc18d Jan 29, 2016

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Non-eval'ing method #6

Non-eval'ing method #6

tmcw commented Aug 12, 2015

jfirebaugh commented Aug 12, 2015

jfirebaugh commented Aug 12, 2015

Non-eval'ing method #6

Non-eval'ing method #6

Comments

tmcw commented Aug 12, 2015

jfirebaugh commented Aug 12, 2015

jfirebaugh commented Aug 12, 2015