joeybaker/gist:d12e9466afd8b2e8db93

## gistfile1.txt
On Thu, Jan 29, 2015 at 9:45 AM, <joey@byjoeybaker.com> wrote:
Hello–

I recently updated to your new snippet, but it violates the Content Security Protocol settings I have in place because it uses `eval`. It there anyway to opt-out of a script that uses `eval`?


On 29 January, 2015 at 12:08:25 PM, John Clover (john@heapanalytics.com) wrote:

Hey Joey

This has come up in the past, and unfortunately, there's no way to opt-out of this at the time. It's my understanding (and I'm not an export) that allowing unsafe-eval is no more dangerous than loading externally hosted JavaScript.

The reason we have eval in our new snippet is because we now allow attaching arbitrary JS expressions to events via the Event Visualizer. Lots of customers find this useful for quickly and easily deploying custom event-tracking code, and it's already standard in tools like Google Tag Manager.

The previous snippet also used eval in order to support older browsers (IE<8), but it's not clear why this didn't trigger CSP warnings in the past.

Cheers
John


On Thu, Jan 29, 2015 at 1:49 PM, Joey Baker <joey@byjoeybaker.com> wrote:
Hi John–

I run my personal site as a playground for things we might do at work, and a CSP is something we’ve been toying with, so I appreciate the thoughtful reply. `unsafe-eval` is functionally different from third party scripts for a variety of reasons, the most important being that I trust scripts coming from your domain, but don’t trust that my code is xss-free.

I’ve not dug into your code too much, but is it possible for you guys to only run `eval` if people have enabled the custom event-tracking option? That would be more secure for all users, potentially slightly faster, and allow a stricter CSP.


–Joey


On Thu, Jan 29, 2015 at 2:02 PM, John Clover <john@heapanalytics.com> wrote:
Hey Joey

Thanks for this information, like I said, I'm not an expert on CSP, so it's good to learn a bit more about real issues. I'll run this by the team to see if it's something they can do.

Cheers
John


On 2 February, 2015 at 8:20:51 PM, John Clover (john@heapanalytics.com) wrote:

Hey Joey

Just want to follow up with you about the CSP issues. We just pushed an update to our code that should remove the eval related warnings. Let me know if you can confirm that!

Cheers
John


Confirmed! Thank you to you and your team for the excellent communication and follow through. You guys are great!


–Joey


Thanks Joey!

Glad this works out on your end, and thanks for bringing this to our attention, it turns out the issue was caused by one of our dependencies, so we got rid of the offending code :)

Cheers
John
	On Thu, Jan 29, 2015 at 9:45 AM, <joey@byjoeybaker.com> wrote:
	Hello–

	I recently updated to your new snippet, but it violates the Content Security Protocol settings I have in place because it uses `eval`. It there anyway to opt-out of a script that uses `eval`?



	On 29 January, 2015 at 12:08:25 PM, John Clover (john@heapanalytics.com) wrote:

	Hey Joey

	This has come up in the past, and unfortunately, there's no way to opt-out of this at the time. It's my understanding (and I'm not an export) that allowing unsafe-eval is no more dangerous than loading externally hosted JavaScript.

	The reason we have eval in our new snippet is because we now allow attaching arbitrary JS expressions to events via the Event Visualizer. Lots of customers find this useful for quickly and easily deploying custom event-tracking code, and it's already standard in tools like Google Tag Manager.

	The previous snippet also used eval in order to support older browsers (IE<8), but it's not clear why this didn't trigger CSP warnings in the past.

	Cheers
	John




	On Thu, Jan 29, 2015 at 1:49 PM, Joey Baker <joey@byjoeybaker.com> wrote:
	Hi John–

	I run my personal site as a playground for things we might do at work, and a CSP is something we’ve been toying with, so I appreciate the thoughtful reply. `unsafe-eval` is functionally different from third party scripts for a variety of reasons, the most important being that I trust scripts coming from your domain, but don’t trust that my code is xss-free.

	I’ve not dug into your code too much, but is it possible for you guys to only run `eval` if people have enabled the custom event-tracking option? That would be more secure for all users, potentially slightly faster, and allow a stricter CSP.


	–Joey


	On Thu, Jan 29, 2015 at 2:02 PM, John Clover <john@heapanalytics.com> wrote:
	Hey Joey

	Thanks for this information, like I said, I'm not an expert on CSP, so it's good to learn a bit more about real issues. I'll run this by the team to see if it's something they can do.

	Cheers
	John




	On 2 February, 2015 at 8:20:51 PM, John Clover (john@heapanalytics.com) wrote:

	Hey Joey

	Just want to follow up with you about the CSP issues. We just pushed an update to our code that should remove the eval related warnings. Let me know if you can confirm that!

	Cheers
	John



	Confirmed! Thank you to you and your team for the excellent communication and follow through. You guys are great!


	–Joey



	Thanks Joey!

	Glad this works out on your end, and thanks for bringing this to our attention, it turns out the issue was caused by one of our dependencies, so we got rid of the offending code :)

	Cheers
	John