@protobufjs/inquire violates default content security policy

[sherlock1982]

protobuf.js version: 6.8.6

There's a special code inside @protobufjs/inquire:

function inquire(moduleName) {
    try {
        var mod = eval("quire".replace(/^/,"re"))(moduleName); // eslint-disable-line no-eval
        if (mod && (mod.length || Object.keys(mod).length))
            return mod;
    } catch (e) {} // eslint-disable-line no-empty
    return null;
}

If I apply "Content-Security-Policy" without additional exceptions to allow eval than it's prohibited. Actually it's the only eval in my ~1Mb minified file.
Probably there's a way to avoid it and become CSP compliant?

UPD: I'm using minimal variant with everything inbuilt.

[pietrodn]

I have the same problem. Electron 2.0.0 now prints out a warning if the web page has no Content-Security-Policy, or if it has one but unsafe-eval is enabled.
For now, protobufjs forces us to keep unsafe-eval enabled.

[arturjanc]

From the perspective of a security engineer who deploys Content Security Policy across a large number of applications, it would be great to have this code refactored to not rely on eval(), so that it doesn't force its users to set unsafe-eval in their CSP.

If this is difficult to refactor, just making sure that this is only executed in non-browser environments would be a reasonable workaround.

[LancerComet]

How about using new Function instead of eval?

const mod = new Function("id", "return require(id)")(moduleName)

[arturjanc]

new Function() is subject to the same CSP restrictions as eval():
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_eval_expressions

[LancerComet]

I've replaced protobuf.js with https://github.com/mapbox/pbf

[p3v9d5ui]

Any update on this? This issue has been open for 6 years now! Being incompatible with a safe script-src CSP policy is becoming more and more unacceptable.