-
Notifications
You must be signed in to change notification settings - Fork 825
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
javascript: uses unsafe-eval #515
Comments
What's the action item here? Is it specific to JavaScript SIG and should be moved there? |
Based on description it looks like a JS library issue, not a schema problem. So I've transferred this issue |
For Node, the content security policy I don't think would apply, so this is really only relevant to browser-specific code. But I don't think we should be using protos directly in any code that gets shipped to the browser. What the OTel Collector exporter should do instead is to just essentially vendor the TS types for the JSON that will get sent to the collector (that corresponds via cc/ @obecny Does this seem right? Or am I missing something here? |
From what I see now the |
There's really no reason for OpenTelemetry to use any protos unless protos are already being used. |
For the reasons mentioned above the usage of |
The alternative is to use protobuf.js to generate the sources at compile-time (either through Node.js API or @harmony-dev/protobufjs-cli). It's not an issue for protobuf.js; it already has support for non-eval. |
Howdy,
Something recently came up with lightstep's javascript tracer implementation that I wanted to relay here. The protobuf library for browser javascript uses
eval
, creating a csp violation. There are currently two open tickets with no response: protocolbuffers/protobuf#5464 and protocolbuffers/protobuf#6770. There's an alternative protobuf implementation called protobuf.js but it also has the same issue: protobufjs/protobuf.js#593Not really sure what there is to do with this, but it is a potentially massive gotcha depending on how strict the end user's security policies are.
The text was updated successfully, but these errors were encountered: