Prevent Content Security Policy (CSP) noise from unsafe-eval / new Function("")

[brianmhunt]

As noted elsewhere e.g. openreplay/openreplay#1934 when a Content Security Policy does not have unsafe-eval in its script-src, the browser will emit an error to the report-uri and prevent the script from running.

A best and common practice is to use a CSP to prevent unsafe-eval and to record any eval / new Function attempts. E.g. https://web.dev/articles/strict-csp

The new Function("") in cbor-x triggers such a CSP violation, which creates a lot of noise. For us, we have seen millions of cases of this false-positive in our reporting tool (sentry.io), making reporting noisier and more costly.

There is no apparent way to selectively disable or capture the CSP error from within the browser.

It would be useful if there were a way to disable the new Function. I think this would require it being lazy, and perhaps exposing inlineReadObjectThreshold as a parameter (or equivalent).

The workaround is to use something like patch-package, but it's obviously less than ideal to modify packages (as seen in the openreplay issue above)

[brianmhunt]

For future readers, using patch-package, here's the trivial patch in patches/cbor-x+1.6.0.patch.

diff --git a/node_modules/cbor-x/decode.js b/node_modules/cbor-x/decode.js
index 362ff36..0a67bc0 100644
--- a/node_modules/cbor-x/decode.js
+++ b/node_modules/cbor-x/decode.js
@@ -40,15 +40,8 @@ let defaultOptions = {
        mapsAsObjects: true
 }
 let sequentialMode = false
-let inlineObjectReadThreshold = 2;
+let inlineObjectReadThreshold = Infinity;
 var BlockedFunction // we use search and replace to change the next call to BlockedFunction to avoid CSP issues for
-// no-eval build
-try {
-       new Function('')
-} catch(error) {
-       // if eval variants are not supported, do not create inline object readers ever
-       inlineObjectReadThreshold = Infinity
-}