Addressing 'unsafe-eval'

Addressing 'unsafe-eval'

statocruzstatocruz Posts: 3Questions: 0Answers: 0

(For DataTables 1.10.18.) I use Kaspersky's browser extension for web security and it is causing the following error to be displayed in the console on page load (web browser is Chrome v68.0.3440.106).

The error:

Uncaught EvalError: Refused to evaluate a string as JavaScript because
'unsafe-eval' is not an allowed source of script in the following Content
Security Policy directive: "script-src 'self' http://gc.kis.v2.scr.kaspersky-labs.com
ws://gc.kis.v2.scr.kaspersky-labs.com".
    at new Function (<anonymous>)
    at new Pointer (datatables.js:53128)
    at Object.<anonymous> (datatables.js:35248)
    at Object.<anonymous> (datatables.js:49672)
    at __webpack_require__ (datatables.js:9199)
    at Object.<anonymous> (datatables.js:15889)
    at Object.<anonymous> (datatables.js:15959)
    at Object.<anonymous> (datatables.js:15961)
    at __webpack_require__ (datatables.js:9199)
    at Object.<anonymous> (datatables.js:34679)

And, as specified in the stack trace, line 53128 of datatables.js:

this.relativeToGetter = new Function('ctx', "return ctx." + this.options.relativeTo);

I am not doing anything in my HTML/JavaScript (it's just an empty page) and therefore am not using DataTables at all; this error occurs when I simply include the downloaded datatables.js in a <script> tag in my <head>. Of course, I can disable Kaspersky's injection of JavaScript into pages I visit, however this is not ideal and I would prefer that visitors of my website not have to do that either.

So my question is whether there's a way to alter DataTables to not perform "unsafe evaluation"? Is this a known issue?

Replies

  • statocruzstatocruz Posts: 3Questions: 0Answers: 0
    edited September 2018

    I have found a workaround for this, though I don't think this issue should be disregarded by the DataTables developers. For anyone who's curious, what I did was configure my server's Content Security Policy with the following parameters:

    script-src 'self' 'unsafe-eval'
    

    Refer to this page for more information.

  • allanallan Posts: 54,897Questions: 1Answers: 8,605 Site admin

    Hi,

    Thanks for getting in touch about this. its actually an issue with the third party pdfmake library which is bundled in the datatables.js file if you select the pdfmake option for PDF export.

    This issue appears to be relevant but it is marked as closed. It might be worth adding a comment there.

    Allan

  • allanallan Posts: 54,897Questions: 1Answers: 8,605 Site admin

    The download builder uses pdfmake v0.1.36.

    Allan

  • statocruzstatocruz Posts: 3Questions: 0Answers: 0
    edited September 2018

    Thanks for responding @allan.

    Here is another GitHub issue about this (in foliojs/restructure, which is a dependency of pdfmake). The issue still appears to be open, but at least now we can track it at the source. It seems the issue has been addressed in a fork of foliojs/restructure and we're just waiting for a merge at this point.

  • ThomasZdonThomasZdon Posts: 1Questions: 0Answers: 0

    Per the restrucutre library this was fixed in their code in version 2.0. Any news on when this may be updated in datatables?

  • colincolin Posts: 12,913Questions: 0Answers: 2,200
    edited January 2020

    I'm not seeing a version 2.0 - their page still talks about 0.1.63 being the most recent. We don't embed the library within our code, so if there is a new one with compatibility, you could just include that version instead.

    Colin

  • floriankittelmannfloriankittelmann Posts: 1Questions: 0Answers: 0
    edited September 22

    We are facing the same problem. New version of pdfmake seems to be released (v0.2.2). Is it possible to include the new version, when downloading and using the file datatables.min.js?

  • allanallan Posts: 54,897Questions: 1Answers: 8,605 Site admin

    We don't host the pdfmake files any more on our CDN as they were massive and we have a large enough bandwidth bill as it is. Instead the download builder provides links to CDNJS for pdfmake. You can get their latest files from here.

    I'll look at updating our links to the latest version.

    Allan

  • hackinwolfhackinwolf Posts: 1Questions: 0Answers: 0

    @allan Following up about this because I noticed the pdfmake version hasn't been updated to the latest version in the download builder.

  • allanallan Posts: 54,897Questions: 1Answers: 8,605 Site admin

    Yes sorry, I've not had a chance to do that yet. I've got it on my list :)

    Allan

Sign In or Register to comment.