Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue - content security policy - script unsafe-eval #378

Open
stiano opened this issue Nov 3, 2023 · 4 comments
Open

Security issue - content security policy - script unsafe-eval #378

stiano opened this issue Nov 3, 2023 · 4 comments
Labels
question Further information is requested

Comments

@stiano
Copy link

stiano commented Nov 3, 2023
edited

Context:
I use @xenova/transformers 2.6.2 npm package from a web application to do image classifcations. Here is the gist of my setup:

const modelPath = 'own-domain/models-and-wasm/'

env.localModelPath = "/";
env.useBrowserCache = true;
env.backends.onnx.wasm.wasmPaths = modelPath;

const classifier = await pipeline("image-classification", modelPath, { quantized: true });
const output = await classifier(imagePath, { topk: 5 });

Everything works code-wise but when I remove unsafe-inline in CSP, it fails with this warning in the browser console:

Failed to asynchronously prepare wasm: 
CompileError: WebAssembly.instantiate(): Refused to compile or instantiate WebAssembly module because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive

I cannot allow script-src: unsafe-eval in my web application (corporate rules). Do I have any alternatives?
@stiano stiano added the question Further information is requested label Nov 3, 2023
@MentalGear
Copy link

MentalGear commented Nov 4, 2023
edited

There's specially for that the CSP wasm-unsafe-eval permission.

@stiano
Copy link
Author

stiano commented Nov 6, 2023

If I cannot use wasm-unsafe-eval either? What are my options then? Another library perhaps?

@xenova
Copy link
Owner

xenova commented Nov 6, 2023

Hi there 👋 So, the only place that eval is used is in one of the dependencies that onnxruntime (one of our dependencies) uses: protobuf.js.

function inquire(moduleName) {
    try {
        var mod = eval("quire".replace(/^/,"re"))(moduleName); // eslint-disable-line no-eval
        if (mod && (mod.length || Object.keys(mod).length))
            return mod;
    } catch (e) {} // eslint-disable-line no-empty
    return null;
}

As you can see, it is completely safe, since it replaces a static string and evaluates that (which becomes require). I believe this is needed because certain build tools replace the require function with something else during build time. Unfortunately, this does trigger unsafe-eval.

This has actually been an issue for years, but some users seem to have found a way around it: protobufjs/protobuf.js#593

Let me know if you get it right, because I think this will benefit other users too :) 🤗

@MentalGear
Copy link

MentalGear commented Nov 6, 2023 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stiano @MentalGear @xenova