CSP violations for unsafe-inline in pdfjst-dist@2.0.943

Configuration:
- Chrome
- Mac OSX
- PDF.js version: pdfjs-dist `2.0.943`
- Is a browser extension: false

We have a content security policy that prevents `unsafe-inline`.

Unfortunately, after upgrading to 2.0.943, [pdfjs-dist/build/pdf.js now has a `Function("return this")` call](https://github.com/mozilla/pdfjs-dist/blob/v2.0.943/build/pdf.js#L13154) (which violates CSP.

My understanding was this was introduced when support for [async/await and generators was added to the gulpfile.js](https://github.com/mozilla/pdf.js/commit/099ed0885239f070f7c7e1d703b57cc64c3f634d#diff-b9e12334e9eafd8341a6107dd98510c9R185).

Upon searching for the babel plugin and finding the GitHub issues, I find [only two issues](https://github.com/babel/babel/issues?utf8=%E2%9C%93&q=content+security+policy) which don't really seem to be covering the issue.

I'm unsure of how to build my own version of pdfjs-dist to try and isolate to see if this is definitively the issue, so just posting this to see if I can get some help/pointers!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CSP violations for unsafe-inline in [email protected] #10229

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CSP violations for unsafe-inline in [email protected] #10229

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions