Application cannot run without unsafe-eval, which is a red flag

[AnnoyingTechnology]

Lychee version

latest

Did you check the latest Lychee version?

Yes, I did

Which PHP version are you using?

PHP 8.3

Detailed description of the problem

If one uses a Content Security Policy, Lychee won't run and complains about
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".

Allowing unsafe-eval to the policy is a no-go as it's too dangerous.

Steps to reproduce the issue

No response

Diagnostics [REQUIRED]

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".

Browser & System [REQUIRED]

Any

Please confirm (incomplete submissions will not be addressed)

• I have provided easy and step-by-step instructions to reproduce the bug.
• I understand my bug report will be removed if I haven't met the criteria above.
• I understand that if I am requested to provide more information, I must do so within 14 days or the bug report will be closed.

[d7415]

Lychee provides its own CSP headers. These do not include unsafe-eval.

Lychee/config/secure-headers.php

Line 715 in b2cb911

'unsafe-eval' => false,

[AnnoyingTechnology]

Odd, I just checked, indeed lychee provides its own, but unsafe-eval is allowed.

This is what I get, app pulled from the repo 1h ago

form-action 'self'; frame-ancestors 'none'; 
img-src 'self' https://maps.wikimedia.org/osm-intl/ https://tile.openstreetmap.org/ https://tile.openstreetmap.de/ https://a.tile.openstreetmap.fr/osmfr/ https://b.tile.openstreetmap.fr/osmfr/ https://c.tile.openstreetmap.fr/osmfr/ https://a.osm.rrze.fau.de/osmhd/ https://b.osm.rrze.fau.de/osmhd/ https://c.osm.rrze.fau.de/osmhd/ data: blob:; 
media-src 'self' blob:; object-src 'self' blob:; 
script-src 'self' 'report-sample' 'unsafe-eval' 'unsafe-hashes' 'sha256-FdKE+KVp/tkYM5hwGXGeKZ1EmS4DJ8kbnsKo5YymNrc=' 'sha256-bY67+0U7yUmtjaisfHv+mZXHsAptKwcV1a4EacCUL5M=' 'sha256-fwPcZ6SFcvBLfJYjzlBRZfKzcidwsD4GPcmkVECbSKM=' 'sha256-FCPseLYJ4+r0Mbp93zyaq/x4zQEEPLgEectDgkA/V3A=' 'sha256-T0Fzr5h5zkZyE3QOpQ9anSTcWp19WQ14eO86qdlSdvA=' 'sha256-CL4mGy9ZhHM+PkLDZsWVuM25kEFBv3FXlmWe/O9Unmc=' 'sha256-okzzdI+OgeNYCr3oJXDZ/rPI5WwGyiU5V/RwOQrv5zE=' 'sha256-hHvKTS0wUaMuiFMar2j4TbjYjlLQMR/c5b0bA9DLi6g=' https://www.dropbox.com/static/api/1/dropins.js; 
style-src 'self' 'unsafe-inline'

[d7415]

Hmm... That does indeed seem to be the case... I'll hand over to @ildyria.

[d7415]

Nevermind - found it

Lychee/app/Http/Middleware/DisableCSP.php

Line 49 in b2cb911

// We must disable unsafe-eval because vue3 used by log-viewer requires it.

[AnnoyingTechnology]

That's too bad because appart from that, Lychee's CSP is actually solid.

[ildyria]

Yeah, I spent an hour yesterday trying to get it to work without much luck.
I don't really case that the Logs parts do not have the security guarantees, but the front-end if we can avoid having CSP disabled that would be nice.

This is however not a top priority as it is more of a mitigation of existing XSS... (which should not be there in the first place)