Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Heap is sweet
On Thu, Jan 29, 2015 at 9:45 AM, <joey@byjoeybaker.com> wrote:
Hello–
I recently updated to your new snippet, but it violates the Content Security Protocol settings I have in place because it uses `eval`. It there anyway to opt-out of a script that uses `eval`?
On 29 January, 2015 at 12:08:25 PM, John Clover (john@heapanalytics.com) wrote:
Hey Joey
This has come up in the past, and unfortunately, there's no way to opt-out of this at the time. It's my understanding (and I'm not an export) that allowing unsafe-eval is no more dangerous than loading externally hosted JavaScript.
The reason we have eval in our new snippet is because we now allow attaching arbitrary JS expressions to events via the Event Visualizer. Lots of customers find this useful for quickly and easily deploying custom event-tracking code, and it's already standard in tools like Google Tag Manager.
The previous snippet also used eval in order to support older browsers (IE<8), but it's not clear why this didn't trigger CSP warnings in the past.
Cheers
John
On Thu, Jan 29, 2015 at 1:49 PM, Joey Baker <joey@byjoeybaker.com> wrote:
Hi John–
I run my personal site as a playground for things we might do at work, and a CSP is something we’ve been toying with, so I appreciate the thoughtful reply. `unsafe-eval` is functionally different from third party scripts for a variety of reasons, the most important being that I trust scripts coming from your domain, but don’t trust that my code is xss-free.
I’ve not dug into your code too much, but is it possible for you guys to only run `eval` if people have enabled the custom event-tracking option? That would be more secure for all users, potentially slightly faster, and allow a stricter CSP.
–Joey
On Thu, Jan 29, 2015 at 2:02 PM, John Clover <john@heapanalytics.com> wrote:
Hey Joey
Thanks for this information, like I said, I'm not an expert on CSP, so it's good to learn a bit more about real issues. I'll run this by the team to see if it's something they can do.
Cheers
John
On 2 February, 2015 at 8:20:51 PM, John Clover (john@heapanalytics.com) wrote:
Hey Joey
Just want to follow up with you about the CSP issues. We just pushed an update to our code that should remove the eval related warnings. Let me know if you can confirm that!
Cheers
John
Confirmed! Thank you to you and your team for the excellent communication and follow through. You guys are great!
–Joey
Thanks Joey!
Glad this works out on your end, and thanks for bringing this to our attention, it turns out the issue was caused by one of our dependencies, so we got rid of the offending code :)
Cheers
John
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.