Addressing 'unsafe-eval'
Addressing 'unsafe-eval'
(For DataTables 1.10.18.) I use Kaspersky's browser extension for web security and it is causing the following error to be displayed in the console on page load (web browser is Chrome v68.0.3440.106
).
The error:
Uncaught EvalError: Refused to evaluate a string as JavaScript because
'unsafe-eval' is not an allowed source of script in the following Content
Security Policy directive: "script-src 'self' http://gc.kis.v2.scr.kaspersky-labs.com
ws://gc.kis.v2.scr.kaspersky-labs.com".
at new Function (<anonymous>)
at new Pointer (datatables.js:53128)
at Object.<anonymous> (datatables.js:35248)
at Object.<anonymous> (datatables.js:49672)
at __webpack_require__ (datatables.js:9199)
at Object.<anonymous> (datatables.js:15889)
at Object.<anonymous> (datatables.js:15959)
at Object.<anonymous> (datatables.js:15961)
at __webpack_require__ (datatables.js:9199)
at Object.<anonymous> (datatables.js:34679)
And, as specified in the stack trace, line 53128
of datatables.js
:
this.relativeToGetter = new Function('ctx', "return ctx." + this.options.relativeTo);
I am not doing anything in my HTML/JavaScript (it's just an empty page) and therefore am not using DataTables at all; this error occurs when I simply include the downloaded datatables.js
in a <script>
tag in my <head>
. Of course, I can disable Kaspersky's injection of JavaScript into pages I visit, however this is not ideal and I would prefer that visitors of my website not have to do that either.
So my question is whether there's a way to alter DataTables to not perform "unsafe evaluation"? Is this a known issue?
Replies
I have found a workaround for this, though I don't think this issue should be disregarded by the DataTables developers. For anyone who's curious, what I did was configure my server's Content Security Policy with the following parameters:
Refer to this page for more information.
Hi,
Thanks for getting in touch about this. its actually an issue with the third party pdfmake library which is bundled in the datatables.js file if you select the pdfmake option for PDF export.
This issue appears to be relevant but it is marked as closed. It might be worth adding a comment there.
Allan
The download builder uses pdfmake v0.1.36.
Allan
Thanks for responding @allan.
Here is another GitHub issue about this (in foliojs/restructure, which is a dependency of pdfmake). The issue still appears to be open, but at least now we can track it at the source. It seems the issue has been addressed in a fork of foliojs/restructure and we're just waiting for a merge at this point.
Per the restrucutre library this was fixed in their code in version 2.0. Any news on when this may be updated in datatables?
I'm not seeing a version 2.0 - their page still talks about 0.1.63 being the most recent. We don't embed the library within our code, so if there is a new one with compatibility, you could just include that version instead.
Colin
We are facing the same problem. New version of pdfmake seems to be released (v0.2.2). Is it possible to include the new version, when downloading and using the file datatables.min.js?
We don't host the pdfmake files any more on our CDN as they were massive and we have a large enough bandwidth bill as it is. Instead the download builder provides links to CDNJS for pdfmake. You can get their latest files from here.
I'll look at updating our links to the latest version.
Allan
@allan Following up about this because I noticed the pdfmake version hasn't been updated to the latest version in the download builder.
Yes sorry, I've not had a chance to do that yet. I've got it on my list
Allan