Skip to content

Remove unsafe-eval#9287

Open
himadrisingh wants to merge 2 commits intomainfrom
unsafe-evals
Open

Remove unsafe-eval#9287
himadrisingh wants to merge 2 commits intomainfrom
unsafe-evals

Conversation

@himadrisingh
Copy link
Copy Markdown
Contributor

@himadrisingh himadrisingh commented Apr 23, 2026

Removed 'unsafe-eval' from the script-src directive in web-admin/svelte.config.js. Vega charts use vega-interpreter (with ast: true, expr: expressionInterpreter) as of commit 8350025, which makes them CSP-compliant without eval. No other direct uses of eval() or new Function() were found in the codebase.

Checklist:

  • Covered by tests
  • Ran it and it works as intended
  • Reviewed the diff before requesting a review
  • Checked for unhandled edge cases
  • Linked the issues it closes
  • Checked if the docs need to be updated. If so, create a separate Linear DOCS issue
  • Intend to cherry-pick into the release branch
  • I'm proud of this work!

@himadrisingh
Remove unsafe-eval
8e9851f 
 Removed 'unsafe-eval' from the script-src directive in web-admin/svelte.config.js. Vega charts use vega-interpreter (with ast: true, expr: expressionInterpreter) as of commit 8350025, which makes them CSP-compliant without eval. No    other direct uses of eval() or new Function() were found in the codebase.
@himadrisingh himadrisingh self-assigned this Apr 23, 2026
@himadrisingh
Update svelte.config.js
17af504 
  The Stripe docs' CSP guidance (adding checkout.stripe.com to script-src, connect-src, frame-src) only applies if Stripe.js or embedded Checkout is loaded directly in the page. Since this integration redirects to Stripe-hosted pages and all
  Stripe API calls happen server-side in Go, none of those entries are needed. If the integration ever moves to embedded Checkout, the specific entries to add would be https://js.stripe.com (script-src), https://api.stripe.com (connect-src),
  and https://js.stripe.com https://hooks.stripe.com (frame-src).
AdityaHegde
AdityaHegde reviewed Apr 24, 2026
View reviewed changes
Comment thread web-admin/svelte.config.js
"https://docs.google.com",
"https://storage.googleapis.com",
"https://cdn.prod.website-files.com",
"https://*.stripe.com",
Copy link
Copy Markdown
Collaborator

@AdityaHegde AdityaHegde Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this intended change?

Comment thread web-admin/svelte.config.js
"self",
"unsafe-eval",
"https://*.app-us1.com/",
//https://support.usepylon.com/articles/5968160735-chat-widget-debugging-guide
Copy link
Copy Markdown
Collaborator

@AdityaHegde AdityaHegde Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets not keep commented parts. If we want to add exception for this, uncomment it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AdityaHegde AdityaHegde AdityaHegde left review comments

@ericpgreen2 ericpgreen2 Awaiting requested review from ericpgreen2

At least 1 approving review is required to merge this pull request.

Assignees

@himadrisingh himadrisingh

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@himadrisingh @AdityaHegde