I want to use some JsonPath library in browser, but they all relying on eval()/Function() that get caught with unsafe-eval by CSP. And any other workarounds/3rd party libraries like static-eval/safe-eval also all get caught with the same console error. Does anyone know of any other potential workarounds to resolve this unsafe-eval issue besides allowing the unsafe-eval csp directive?
The best thing I found was an old fork of JSONPath-Plus that attempted to create a non-eval version of the library. Here's the Pull Request, however, this was never merged (fully) because of some merge issues and performance issues.
I imagine performance would be a problem for other non-eval implementations as well, and that's why we have non, at least to my knowledge.
Related
I've been going through the documentation at https://bazelbuild.github.io/rules_nodejs/ in order to put together a small web based application. I've got babel building the JS code, and http_server serving it, and ibazel watching it, and everything is working as expected: when I make a change, ibazel notices it and restarts the http_server rule.
The next thing I wanted to look at is getting autoreload in the browser so that the browser would automatically refresh when the change was compiled. My understanding is that this requires the http server to not be killed by ibazel, but instead to stay up and trigger a refresh via the ibazel_live_reload mechanism. I believe that http_server doesn't support this, but ts_devserver is explicitly mentioned in several places. However, ts_devserver doesn't seem to be maintained anymore (although I did find a devserver EXE in the npm package, there isn't a bazel rule that I saw to use it).
Is there a third party live development server that supports the ibazel reload mechanism - or am I missing something completely obvious?
Disclosure, I'm a core maintainer on rules_nodejs
As of rules_nodejs v3.0.0, ts_devserver has been renamed to concatjs_devserver to try and better namespace it (it has little to nothing really to do with Typescript). Its docs can be found here.
Note though that the concatjs_devserver comes with some compatibility gotchas, all dependencies have to be in named AMD/UMD or goog.module format for example, and may be tricky to use unless following the rest of the google3 toolchain.
We've (as the maintainers of rules_nodejs) tried not to wrap an existing devserver and publish it as of yet for various reasons, but it's something that has come up in discussion. I'm currently investigating some options in this space.
I'm not aware of any published devservers that currently support the ibazel protocol, there is a wrap of browsersync in the Angular Components repo which you may find useful.
I am doing research on quickbooks online integration using node and angular 8.
The official intuit developer site provides two node packages.
one is official from intuit and one is from community.
I have glanced through both of them.
the official package is fairly universal. It essentially is just a API client to send a request to remote server and the payload is basic json format.
the community package seems a bit more specific but the documentation seems a bit confusing.
Which one would you choose to do the work and why?
I would love to hear your input.
Thanks :)
The Intuit provided library (intuit-oauth) is specifically for authenticating and getting the OAuth token you need to communicate with the Quickbooks API, the other library (node-quickbooks) is for making the actual calls against the API endpoints.
You will need both libraries, unless you are handling authentication in a different way.
Fwiw for whoever finds this useful:
I forked intuit-oauth, added typescript and fixed vulnerabilities that have been fixed in the PRs of their repo for years and never updated here: https://www.npmjs.com/package/intuit-oauth-ts
Additionally I forked node-quickbooks, updated the api to return promises rather than relying on callbacks, resolved the discovery URLs automatically, changed the format of response objects to be more sensible, and added (unfortunately only some) of the typescript definitions for it here: https://www.npmjs.com/package/qbo. I don't have enough time to add the definitions for all of the files (largey because the included ones should be completely exhaustive for every property in the QBO api, which is timeconsuming to define). If someone would like to contribute by adding more of the typescript definitions or adding all of them, I would really appreciate it.
I am interested in any example angular app using intuit-oauth
Trying to work it out but getting issues since there is no document for typescript.
I upgraded struts2 to 2.3.32 with no problem, but I also depend on struts2-tiles-plugin-2.3.15.3.jar which I can't upgrade as easily. Is this a problem or is upgrading struts2-core enough to fix the issue?
No I think. At S2-046's workaround section I read:
Another option is to remove the File Upload Interceptor from the stack
Which means that vulnerability was inside core. However, struts2-tiles-plugin does not have dependency to core!
I am using a custom require function which mimics nodejs require and it works fine.
However, in electron, I get
SecurityError: An attempt was made to break through the security policy of the user agent.
when calling window.addEventListener inside the custom-required code.
If I could read the source code for electron's 'require' function, I could probably understand why my version fails.
What you are looking for should be on GitHub.
https://github.com/atom/atom
or...
https://github.com/atom/electron
or...
https://github.com/atom/node
Based on your update the code you are looking for (with regard to sharing the global context) is actually here: https://github.com/atom/node/blob/atom-iojs/lib/module.js#L399
Because Electron doesn't include the most current version of Node.js, I thought it worth mentioning.
After inspection with toString, the sources are the same as nodejs except for compilation when Module._contextload is true. This part seems to be optimised away.
My code now works correctly by using compilation sharing the global context and thus behaving as coming from the same origin (XSS prevention in chromium). This is the same functionality as require in electron.
I have a problem regarding the security of QtWebKit, I wanna disable X-Frame-Options so I can embed sites such as facebook.com in iframes inside my app.
I know that can be made using WebCore API (isWebSecurityEnabled switch, http://trac.webkit.org/wiki/ConfigurableFeatures) but I didn't found any way of doing it with QtWebKit.
Thank you!
I had the same problem (but applied to command-line-browser phantonjs with the rendering engine QtWebKit) and the only option after analyzing the issue, is modifying the behavior of rendering of QtWebKit.
The good, the change is very small, we just change the function FrameLoader :: shouldInterruptLoadForXFrameOptions to return false in any condition (https://github.com/deerme/phantomjs/blob/master/src/qt/qtwebkit/Source/WebCore/loader/FrameLoader.cpp#L2986).
In my particular case I did a fork of the phantonjs repository with this small change in QtWebKit (https://github.com/deerme/phantomjs).
So, in your particular case, you should download the source code of QtWebEngine and make the change and finally you can use the QtWebEngine modified in your Qt application.