Remove use of 'unsafe-eval'

[danizep]

We are building a BIM viewer on a fairly large Enterprise setting.

As a big company we have to ensure security and we are subject penetration tests. This means that we have a fairly closed-up Content Security Policy configuration.

When we tried to deploy our first prototype of the viewer, we found that we needed to enable 'unsafe-eval' on CSP.

Since we know that the use of eval features it's largely a bad practice, is it possible get rid of that? Would be really important as it open the door for the execution of malicious code. ;)

Error loading IFC.
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self'".

    at new Function (<anonymous>)
    at HC (web-ifc-api.js:9018:18)
    at N_ (web-ifc-api.js:9021:28)
    at o (web-ifc-api.js:10895:51)
    at n.<anonymous> (web-ifc-api.js:52752:33)
    at l (regeneratorRuntime.js:86:1)
    at Vt._invoke (regeneratorRuntime.js:66:1)
    at Generator.next (regeneratorRuntime.js:117:1)
    at web-ifc-api.js:42:61
    at new s (zone.js:1387:29)

[agviegas]

Hi @danizep ! Sure, this might seem to be caused by Emscripten's generated code. We'll take a look and see if we can get rid of this. Cheers!

[wwwouter]

Any updates on this? We're in the middle of a pen test and I would like to remove 'unsafe-eval' to get a better grade. If this is landing shortly, I can postpone a bit.

[agviegas]

Hey, we will take care of this issues (and many of the rest) before the end of this year, but right now we can't commit to a more specific deadline. We are now scaling and getting funding so probably this will be different next year. Cheers!

[wwwouter]

Thanks for the quick reply, now it's all clear what to expect. Congrats on your funding!

[QuimMoya]

Hello @danizep and @wwwouter
We are testing possible solutions for this problem, but we must be able to reproduce it. Any ideas on how to enable this 'unsafe-eval' issue?

[wwwouter]

Does this help?

const http = require("http");

const host = "localhost";
const port = 8000;

const requestListener = function (req, res) {
  //   const headers = {
  //     "content-security-policy":
  //       "script-src 'self' 'unsafe-eval' ifcjs.github.io;",
  //   };
  const headers = {
    "content-security-policy": "script-src 'self' ifcjs.github.io;",
  };
  res.writeHead(200, headers);
  res.end(`<html>
    <head>      
    </head>
    <body>
        <aside class="side-menu" id="side-menu-left"></aside>
        <div id="viewer-container"></div>
        <div id="loading-overlay" class="loading-overlay hidden">
            <h1 id="loading-progress" class="loading-progress"></h1>
        </div>
        <script type="module" src="https://ifcjs.github.io/web-ifc-viewer/example/build/main.js"></script>
    </body>
    </html>`);
};

const server = http.createServer(requestListener);
server.listen(port, host, () => {
  console.log(`Server is running on http://${host}:${port}`);
});

Clicking on the first "button" on the left

and selecting an IFC file
results in

[QuimMoya]

Thanks!!!

I will try to find a solution

[anirudh12032008]

Hi is this still open?

[agviegas]

Hi @anirudh12032008

We are going to officially release the new library components on September 20. This library will substitute web-ifc-three and web-ifc-viewer. Both WIV and WIT will remain up, but they will be deprecated and won't be maintained any longer.

All our efforts are going towards components now. The API is very similar, so I strongly suggest you make the leap and start using it. You can start using it now (check out the latest alpha version in npm or see the big-restructure branch in the repo. If you still face this issue with it, you can open an issue there and we'll take a look.

Cheers!

[orazio1234]

As a stopgap, the library could offer an option to disable applying styles, leaving the onus to the developer.