Fix CSP: add 'unsafe-eval' to script-src for dashboard#453
Open
citadelgrad wants to merge 1 commit intoRightNow-AI:mainfrom
Open
Fix CSP: add 'unsafe-eval' to script-src for dashboard#453citadelgrad wants to merge 1 commit intoRightNow-AI:mainfrom
citadelgrad wants to merge 1 commit intoRightNow-AI:mainfrom
Conversation
The dashboard's JS framework (Alpine.js/Petite-Vue) uses new AsyncFunction() which requires 'unsafe-eval' in the Content-Security-Policy script-src directive. Without it, the browser blocks these calls and throws EvalError.
Author
Security Review:
|
| Finding | Concern | Verdict |
|---|---|---|
| XSS via Alpine.js directive injection | Attacker injects x-* attributes through x-html |
False positive — Alpine.js does NOT compile directives on HTML injected via x-html; it only sets innerHTML |
marked.js + x-html rendering |
Unsanitized Markdown → HTML via x-html |
Pre-existing — 'unsafe-inline' already permits inline event handlers (onclick, onerror); unrelated to this PR |
| Chat message flow | LLM responses rendered without sanitization | Pre-existing — same root cause as above |
| Weak CSP | 'unsafe-inline' + 'unsafe-eval' = minimal CSP protection |
Architectural concern, not an exploitable vuln introduced here |
Why 'unsafe-eval' is needed
Alpine.js 3.15.8 uses new Function() internally to compile expressions in x-show, @click, :class, etc. Without 'unsafe-eval', the browser throws EvalError and the dashboard JS breaks.
Recommendations for follow-up
These are not blockers for this PR but worth tracking:
- Add DOMPurify to sanitize
renderMarkdown()output beforex-htmlinjection (addresses the pre-existing unsanitized Markdown pipeline) - Long-term: Migrate to nonce-based CSP with precompiled Alpine templates to eliminate both
'unsafe-inline'and'unsafe-eval'
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
'unsafe-eval'to thescript-srcdirective in the Content-Security-Policy headernew AsyncFunction(), which requires'unsafe-eval'— without it the browser blocks execution and throws dozens ofEvalErrorconsole errorsChanged file
crates/openfang-api/src/middleware.rs— one-line change insecurity_headers()middlewareVerification
curl -sI http://127.0.0.1:4200/ | grep -i content-security-policyShould now include
script-src 'self' 'unsafe-inline' 'unsafe-eval'and the dashboard should load withoutEvalErrorconsole errors.