Remove unsafe eval (#16704)

heiskr · web-flow · commit 685e7a36550a · 2020-12-02T16:19:14.000Z
* Remove unsafe eval

* Actually, we're not using this anyways

* Reset package-lock, I have no idea why this keeps changing

* Update csp.js

* Update server.js
diff --git a/javascripts/fake-hogan.js b/javascripts/fake-hogan.js
@@ -0,0 +1,15 @@
+// This module overrides "Hogan" that instantsearch.js uses
+// Hogan uses `new Function`,
+// so we can't use it with our content security policy.
+// Turns out, we use all our own templates anyway,
+// so we just have to shim out Hogan so it doesn't error!
+
+export default {
+  compile (template) {
+    return {
+      render (data) {
+        return ''
+      }
+    }
+  }
+}
diff --git a/middleware/csp.js b/middleware/csp.js
@@ -30,9 +30,7 @@ module.exports = contentSecurityPolicy({
     ],
     scriptSrc: [
       "'self'",
-      'data:',
-      "'unsafe-eval'", // exception for Algolia instantsearch
-      "'unsafe-inline'"
+      'data:'
     ],
     frameSrc: [ // exceptions for GraphQL Explorer
       'https://graphql-explorer.githubapp.com', // production env
diff --git a/tests/rendering/server.js b/tests/rendering/server.js
@@ -53,8 +53,6 @@ describe('server', () => {
     expect(csp.get('img-src').includes('octodex.github.com')).toBe(true)
 
     expect(csp.get('script-src').includes("'self'")).toBe(true)
-    expect(csp.get('script-src').includes("'unsafe-eval'")).toBe(true) // exception for Algolia instantsearch
-    expect(csp.get('script-src').includes("'unsafe-inline'")).toBe(true)
 
     expect(csp.get('style-src').includes("'self'")).toBe(true)
     expect(csp.get('style-src').includes("'unsafe-inline'")).toBe(true)
diff --git a/webpack.config.js b/webpack.config.js
@@ -4,6 +4,7 @@ const CopyWebpackPlugin = require('copy-webpack-plugin')
 const { EnvironmentPlugin } = require('webpack')
 
 module.exports = {
+  devtool: 'source-map', // this prevents webpack from using eval
   entry: './javascripts/index.js',
   output: {
     filename: 'index.js',
@@ -70,5 +71,12 @@ module.exports = {
       ]
     }),
     new EnvironmentPlugin(['NODE_ENV'])
-  ]
+  ],
+  resolve: {
+    alias: {
+      // Hogan uses `new Function` which breaks content security policy
+      // Turns out, we aren't even using it anyways!
+      'hogan.js': path.resolve(__dirname, 'javascripts/fake-hogan.js')
+    }
+  }
 }
