DaddyFrosty/yoga
1
0
Fork 0
Code Issues 96 Pull Requests 31 Actions Packages Projects Releases 33 Wiki Activity

Request to Remove or Address unsafe-eval Usage in Yoga Layout #1767

New Issue
Open
opened 2024-12-10 08:29:40 -08:00 by buzzo123 · 4 comments
buzzo123 commented 2024-12-10 08:29:40 -08:00 (Migrated from github.com)
Copy Link

Hi Yoga Layout Team,

I am currently using @react-pdf/renderer (version ^4.1.5) in my project, which depends on yoga-layout. During development, I've encountered issues related to the usage of unsafe-eval within yoga-layout.

Problem

The inclusion of unsafe-eval poses significant security risks and violates stricter Content Security Policies (CSPs), which are becoming increasingly common in modern web applications. This makes it challenging to use yoga-layout in secure environments without relaxing CSP rules, which isn't always an acceptable solution.

Steps to Reproduce

  1. Integrate @react-pdf/renderer (which uses yoga-layout) into a project.
  2. Implement a CSP policy that disallows unsafe-eval.
  3. Observe the resulting errors when attempting to use yoga-layout.

Let me know if additional details, examples, or assistance with refactoring would be helpful. Thank you for all the effort you’ve put into maintaining this essential library!

Best regards,
Michele

Hi Yoga Layout Team, I am currently using `@react-pdf/renderer` (version `^4.1.5`) in my project, which depends on `yoga-layout`. During development, I've encountered issues related to the usage of `unsafe-eval` within `yoga-layout`. ### Problem The inclusion of `unsafe-eval` poses significant security risks and violates stricter Content Security Policies (CSPs), which are becoming increasingly common in modern web applications. This makes it challenging to use `yoga-layout` in secure environments without relaxing CSP rules, which isn't always an acceptable solution. ### Steps to Reproduce 1. Integrate `@react-pdf/renderer` (which uses `yoga-layout`) into a project. 2. Implement a CSP policy that disallows `unsafe-eval`. 3. Observe the resulting errors when attempting to use `yoga-layout`. Let me know if additional details, examples, or assistance with refactoring would be helpful. Thank you for all the effort you’ve put into maintaining this essential library! Best regards, Michele
👍 3
NickGerleman commented 2024-12-10 12:31:08 -08:00 (Migrated from github.com)
Copy Link

I didn’t look closely at this, but it seems to come from Emscripten (possibly embind), so bindings would need to change.

I didn’t look closely at this, but it seems to come from Emscripten (possibly embind), so bindings would need to change.
guillaumeduboc commented 2024-12-24 00:57:17 -08:00 (Migrated from github.com)
Copy Link

I have the same issue and it would be amazing to see it resolved !
I found this issue regarding unsafe-eval and embind https://github.com/emscripten-core/emscripten/issues/20994. It might be interesting

I have the same issue and it would be amazing to see it resolved ! I found this issue regarding `unsafe-eval` and embind https://github.com/emscripten-core/emscripten/issues/20994. It might be interesting
NickGerleman commented 2024-12-24 05:07:15 -08:00 (Migrated from github.com)
Copy Link

“DYNAMIC_EXECUTION=0” may depend on moving from “embind” usage to direct calls (which last I looked should theoretically be pretty doable given we already have a stable C API).

Would also be a big performance win.

See https://github.com/facebook/yoga/issues/1545 and https://github.com/facebook/yoga/issues/1507

“DYNAMIC_EXECUTION=0” may depend on moving from “embind” usage to direct calls (which last I looked should theoretically be pretty doable given we already have a stable C API). Would also be a big performance win. See https://github.com/facebook/yoga/issues/1545 and https://github.com/facebook/yoga/issues/1507
guillaumeduboc commented 2024-12-26 09:22:36 -08:00 (Migrated from github.com)
Copy Link

I looked quickly into it and it seems there are no call to eval and DYNAMIC_EXECUTION=0 is used in https://github.com/facebook/yoga/blob/main/javascript/CMakeLists.txt#L39

The unsafe-eval is raised by WebAssembly.instantiate so there is no getting around it I guess
For now the only way of running WebAssembly with CSPs is to use wasm-unsafe-eval since hashes are not supported

I looked quickly into it and it seems there are no call to `eval` and `DYNAMIC_EXECUTION=0` is used in https://github.com/facebook/yoga/blob/main/javascript/CMakeLists.txt#L39 The `unsafe-eval` is raised by `WebAssembly.instantiate` so there is no getting around it I guess For now the only way of running WebAssembly with CSPs is to use [`wasm-unsafe-eval`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_webassembly_execution) since [hashes are not supported](https://github.com/WebAssembly/content-security-policy/issues/37)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Algorithm
Build and Infrastructure
C#
C++ Enhancement
CLA Signed
Discussion
Documentation
Feature Request
Java
JavaScript
Merged
Question
Reverted
Shared with Meta
Applied via automation to indicate that an Issue or Pull Request has been shared with the team.
YogaKit
YogaLayout ViewGroup
bug
dependencies
Pull requests that update a dependency file
duplicate
enhancement
fb-exported
fh:direct-merge-enabled
invalid
ruby
Pull requests that update Ruby code
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
DaddyFrosty
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: DaddyFrosty/yoga#1767
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?