CSP Build for 3.15.1 breaks functions like Math.max #4700
Replies: 1 comment
-
|
Sorry about that. We've realized that allowing globals defeats the entire purpose of the CSP build and allows people do execute dangerous code in their expressions that gets them around CSP blocks. They can access your nonce and inject their own javascript using globals. We realize this is surprising and not ideal, but this really is a hard constraint. We recommend that you extract anything that needs a global into a function or other form of abstraction. Sorry, thanks for understanding. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
As per the CSP docs, global variables and functions should work when using the CSP build, e.g.
Math.max(...)As of v3.15.1, these globals no longer work. This seems to be a result of this commit @joshhanley
Whether or not this is intended, it is a surprising breaking change for a patch version.
CodePen here: https://codepen.io/Simon-Jarrett-the-decoder/pen/MYKdPWd
Side note: the release notes reference
allowGlobalsinstead ofallowGlobalwhich made it hard to find the problem. There doesn't seem to be a way to override this value through configuration.Beta Was this translation helpful? Give feedback.
All reactions