Use of eval which is blocked by script-src Content Security Policy

[will-newmarch]

Is there any possible way the use of 'eval' could be removed from the library? (I realise this might be quite an integral part)

doT/doT.js

Line 40 in 8cae202

_globals = (function(){ return this || (0,eval)("this"); }());

We are having issues with it triggering security warnings around - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

Apparently as part of tightening security using CSP headers eval() is increasingly non-viable.

[mappu]

We're having issues too. Replacing the whole _globals section with window.doT = doT; gets past the first hurdle, but after that, the rest of the code is heavily based on new Function which is eval() in disguise.

[drewlee]

We have also ran into this issue with an NPM module due to doT being used as a transient dependency. Using eval is a definite code smell/bad pattern from a security perspective. Is this project under active maintenance anymore? This seems to be a rather contentious issue to ignore.

[fomenyesu]

I had set the Content-Security-Policy to
"script-src 'self' 'unsafe-eval' 'unsafe-inline'; object-src 'self'"
fix the error

[epoberezkin]

The solution is to either allow eval (as above) or better to precompile templates as part of build step and deploy functions.