script-src 'unsafe-eval'
--
You received this message because you are subscribed to the Google Groups "Google Visualization API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-visualizati...@googlegroups.com.
To post to this group, send email to google-visua...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-visualization-api.
For more options, visit https://groups.google.com/d/optout.
Hi Anthony,As noted in David Konrad's answer to this StackOverflow question, the remaining use of eval() in Google Charts code involves browser compatibility. We are now using JSON.parse() in most situations, if it is available. We also have to resolve at least one more use of eval, when processing the response to an XHR request for data from a spreadsheet. The issue here involves calling the JavaScript Date() constructor to create date values, but this use can be entirely replaced by our Date string notation.But there is one other use of eval that will be more difficult to resolve. When more than one google.load() call is made to load additional code, this must be done in the context of the originally loaded code, and currently, this must be done with an eval(). A simple alternative is to just not support additional calls to google.load().
On Tue, Jun 9, 2015 at 7:29 PM, Anthony D'Andrea <anth...@gmail.com> wrote:
Using Google Charts on my site and I removedfrom my CSP headers. Now the chart fails to render. It now displays an invalid JSON error. It would be nice if google charts didn't require unsafe-eval so I can be more secure.
script-src 'unsafe-eval'
--
You received this message because you are subscribed to the Google Groups "Google Visualization API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-visualization-api+unsub...@googlegroups.com.
To post to this group, send email to google-visua...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-visualization-api.
For more options, visit https://groups.google.com/d/optout.
Hi Daniel,Has this been resolved now ? If not, is there a work around this eval() function ?For security purposes, we have to remove `unsafe-eval` from the CSP and this now breaks our charts...Thank you.
On Wednesday, June 10, 2015 at 11:05:01 PM UTC+10, Daniel LaLiberte wrote:
Hi Anthony,As noted in David Konrad's answer to this StackOverflow question, the remaining use of eval() in Google Charts code involves browser compatibility. We are now using JSON.parse() in most situations, if it is available. We also have to resolve at least one more use of eval, when processing the response to an XHR request for data from a spreadsheet. The issue here involves calling the JavaScript Date() constructor to create date values, but this use can be entirely replaced by our Date string notation.But there is one other use of eval that will be more difficult to resolve. When more than one google.load() call is made to load additional code, this must be done in the context of the originally loaded code, and currently, this must be done with an eval(). A simple alternative is to just not support additional calls to google.load().
On Tue, Jun 9, 2015 at 7:29 PM, Anthony D'Andrea <anth...@gmail.com> wrote:
Using Google Charts on my site and I removedfrom my CSP headers. Now the chart fails to render. It now displays an invalid JSON error. It would be nice if google charts didn't require unsafe-eval so I can be more secure.
script-src 'unsafe-eval'
--
You received this message because you are subscribed to the Google Groups "Google Visualization API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-visualization-api+unsubscr...@googlegroups.com.
To post to this group, send email to google-visua...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-visualization-api.
For more options, visit https://groups.google.com/d/optout.
--
--
You received this message because you are subscribed to the Google Groups "Google Visualization API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-visualization-api+unsub...@googlegroups.com.
To post to this group, send email to google-visualization-api@googlegroups.com.
Visit this group at https://groups.google.com/group/google-visualization-api.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-visualization-api/892c812b-143b-4701-8168-8c3c4167a138%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
I have changed the loader to no longer require eval for dynamic loading. This is available for the 'current' version (v45.2) as well as v45 and v45.1. That was the most complex and real requirement for eval, so I am glad we are done with that.But I just did a search through the code for other uses of eval, and apparently there are still a few, though mostly incidental. However, it appears we do use eval now even when we could (and should) be using JSON.parse. Now that I see that, I'll make amends. I don't anticipate there should be any serious obstacles, but I've been surprised before.
On Mon, Sep 11, 2017 at 9:37 PM, Sacha <sacha....@gmail.com> wrote:
Hi Daniel,Has this been resolved now ? If not, is there a work around this eval() function ?For security purposes, we have to remove `unsafe-eval` from the CSP and this now breaks our charts...Thank you.
On Wednesday, June 10, 2015 at 11:05:01 PM UTC+10, Daniel LaLiberte wrote:
Hi Anthony,As noted in David Konrad's answer to this StackOverflow question, the remaining use of eval() in Google Charts code involves browser compatibility. We are now using JSON.parse() in most situations, if it is available. We also have to resolve at least one more use of eval, when processing the response to an XHR request for data from a spreadsheet. The issue here involves calling the JavaScript Date() constructor to create date values, but this use can be entirely replaced by our Date string notation.But there is one other use of eval that will be more difficult to resolve. When more than one google.load() call is made to load additional code, this must be done in the context of the originally loaded code, and currently, this must be done with an eval(). A simple alternative is to just not support additional calls to google.load().
On Tue, Jun 9, 2015 at 7:29 PM, Anthony D'Andrea <anth...@gmail.com> wrote:
Using Google Charts on my site and I removedfrom my CSP headers. Now the chart fails to render. It now displays an invalid JSON error. It would be nice if google charts didn't require unsafe-eval so I can be more secure.
script-src 'unsafe-eval'
--
You received this message because you are subscribed to the Google Groups "Google Visualization API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-visualization-api+unsub...@googlegroups.com.
To post to this group, send email to google-visua...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-visualization-api.
For more options, visit https://groups.google.com/d/optout.
--
--
You received this message because you are subscribed to the Google Groups "Google Visualization API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-visualization-api+unsub...@googlegroups.com.
To post to this group, send email to google-visua...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-visualization-api.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-visualization-api/892c812b-143b-4701-8168-8c3c4167a138%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Great to know that you are working on it, thanks for that. Could you please update this thread when you release a new version without eval ?
Many thanks!
On Tuesday, September 12, 2017 at 1:04:14 PM UTC+10, Daniel LaLiberte wrote:
I have changed the loader to no longer require eval for dynamic loading. This is available for the 'current' version (v45.2) as well as v45 and v45.1. That was the most complex and real requirement for eval, so I am glad we are done with that.But I just did a search through the code for other uses of eval, and apparently there are still a few, though mostly incidental. However, it appears we do use eval now even when we could (and should) be using JSON.parse. Now that I see that, I'll make amends. I don't anticipate there should be any serious obstacles, but I've been surprised before.
On Mon, Sep 11, 2017 at 9:37 PM, Sacha <sacha....@gmail.com> wrote:
Hi Daniel,Has this been resolved now ? If not, is there a work around this eval() function ?For security purposes, we have to remove `unsafe-eval` from the CSP and this now breaks our charts...Thank you.
On Wednesday, June 10, 2015 at 11:05:01 PM UTC+10, Daniel LaLiberte wrote:
Hi Anthony,As noted in David Konrad's answer to this StackOverflow question, the remaining use of eval() in Google Charts code involves browser compatibility. We are now using JSON.parse() in most situations, if it is available. We also have to resolve at least one more use of eval, when processing the response to an XHR request for data from a spreadsheet. The issue here involves calling the JavaScript Date() constructor to create date values, but this use can be entirely replaced by our Date string notation.But there is one other use of eval that will be more difficult to resolve. When more than one google.load() call is made to load additional code, this must be done in the context of the originally loaded code, and currently, this must be done with an eval(). A simple alternative is to just not support additional calls to google.load().
On Tue, Jun 9, 2015 at 7:29 PM, Anthony D'Andrea <anth...@gmail.com> wrote:
Using Google Charts on my site and I removedfrom my CSP headers. Now the chart fails to render. It now displays an invalid JSON error. It would be nice if google charts didn't require unsafe-eval so I can be more secure.
script-src 'unsafe-eval'
--
You received this message because you are subscribed to the Google Groups "Google Visualization API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-visualization-api+unsubscr...@googlegroups.com.
To post to this group, send email to google-visua...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-visualization-api.
For more options, visit https://groups.google.com/d/optout.
--
--
You received this message because you are subscribed to the Google Groups "Google Visualization API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-visualization-api+unsubscr...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-visualization-api.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-visualization-api/892c812b-143b-4701-8168-8c3c4167a138%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Google Visualization API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-visualization-api+unsub...@googlegroups.com.
To post to this group, send email to google-visualization-api@googlegroups.com.
Visit this group at https://groups.google.com/group/google-visualization-api.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-visualization-api/6554c656-f744-4959-a279-0b9ad3760718%40googlegroups.com.
gviz.json.unsafeDeserialize = function(jsonString) { if (gviz.UNSAFE_EVAL && !gviz.json.cspCompliantMode_) { // Add parentheses to disambiguate object literal from control structure jsonString = '(' + jsonString + ')'; // Not using JSON.parse since it does not support the "new" operator. var jsonObject = eval(jsonString); return /** @type {!Object} */ (gviz.json.fixDateStrings_(jsonObject)); } else { return /** @type {?Object} */ (JSON.parse(jsonString)); } };
--
You received this message because you are subscribed to the Google Groups "Google Visualization API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-visualization-api+unsub...@googlegroups.com.
To post to this group, send email to google-visualization-api@googlegroups.com.
Visit this group at https://groups.google.com/group/google-visualization-api.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-visualization-api/45477d15-c886-4f8f-96cc-2429b4815dc5%40googlegroups.com.
The source for this code is:gviz.json.unsafeDeserialize = function(jsonString) { if (gviz.UNSAFE_EVAL && !gviz.json.cspCompliantMode_) { // Add parentheses to disambiguate object literal from control structure jsonString = '(' + jsonString + ')'; // Not using JSON.parse since it does not support the "new" operator. var jsonObject = eval(jsonString); return /** @type {!Object} */ (gviz.json.fixDateStrings_(jsonObject)); } else { return /** @type {?Object} */ (JSON.parse(jsonString)); } };Note the check for !gviz.json.cspCompliantMode_. We have no code that sets it to true now, so I expect I can just force JSON.parse to be used always. I'll do that now, and it will be part of the v46 release.
On Fri, Mar 2, 2018 at 3:50 PM, Edward Hartwell Goose <e...@mention-me.com> wrote:
We're just evaluating using a CSP and can confirm we see `unsafe-eval`. It looks like the code is nearly there in the upcoming version - we just trip up in one place, in gvjs_Jh within the compiled_format module.Daniel - is there anything we can do to help provide you with test cases or similar to help you nail this? I'd be glad to help.
On Wednesday, 28 February 2018 17:16:11 UTC, Kirschner wrote:I stepped on this problem too, is the upcomming(?) v46 free of evals?
On Tuesday, September 12, 2017 at 6:37:07 AM UTC+2, Daniel LaLiberte wrote:I will try to remember to post a followup here. But I usually forget such things.
--
You received this message because you are subscribed to the Google Groups "Google Visualization API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-visualization-api+unsubscr...@googlegroups.com.
To post to this group, send email to google-visualization-api@googlegroups.com.
Visit this group at https://groups.google.com/group/google-visualization-api.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-visualization-api/45477d15-c886-4f8f-96cc-2429b4815dc5%40googlegroups.com.
--
The source for this code is:gviz.json.unsafeDeserialize = function(jsonString) { if (gviz.UNSAFE_EVAL && !gviz.json.cspCompliantMode_) { // Add parentheses to disambiguate object literal from control structure jsonString = '(' + jsonString + ')'; // Not using JSON.parse since it does not support the "new" operator. var jsonObject = eval(jsonString); return /** @type {!Object} */ (gviz.json.fixDateStrings_(jsonObject)); } else { return /** @type {?Object} */ (JSON.parse(jsonString)); } };Note the check for !gviz.json.cspCompliantMode_. We have no code that sets it to true now, so I expect I can just force JSON.parse to be used always. I'll do that now, and it will be part of the v46 release.
On Fri, Mar 2, 2018 at 3:50 PM, Edward Hartwell Goose <e...@mention-me.com> wrote:
We're just evaluating using a CSP and can confirm we see `unsafe-eval`. It looks like the code is nearly there in the upcoming version - we just trip up in one place, in gvjs_Jh within the compiled_format module.Daniel - is there anything we can do to help provide you with test cases or similar to help you nail this? I'd be glad to help.
On Wednesday, 28 February 2018 17:16:11 UTC, Kirschner wrote:I stepped on this problem too, is the upcomming(?) v46 free of evals?
On Tuesday, September 12, 2017 at 6:37:07 AM UTC+2, Daniel LaLiberte wrote:I will try to remember to post a followup here. But I usually forget such things.
--
You received this message because you are subscribed to the Google Groups "Google Visualization API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-visualization-api+unsub...@googlegroups.com.
To post to this group, send email to google-visua...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-visualization-api.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-visualization-api/45477d15-c886-4f8f-96cc-2429b4815dc5%40googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to google-visualization-api+unsubscr...@googlegroups.com.
To post to this group, send email to google-visua...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-visualization-api.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-visualization-api/45477d15-c886-4f8f-96cc-2429b4815dc5%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Google Visualization API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-visualization-api+unsub...@googlegroups.com.
To post to this group, send email to google-visualization-api@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-visualization-api/539045f7-ffda-4940-863a-064e1691b87f%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Google Visualization API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-visualization-api+unsub...@googlegroups.com.
To post to this group, send email to google-visualization-api@googlegroups.com.
Visit this group at https://groups.google.com/group/google-visualization-api.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-visualization-api/c53dcb6c-540b-497d-beee-d57772876534%40googlegroups.com.
I notice that using the "upcoming" version of 46 still uses evals and requires CSP to include "unsafe-eval". Any ETA on when this will be live?
--
You received this message because you are subscribed to the Google Groups "Google Visualization API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-visualizati...@googlegroups.com.
To post to this group, send email to google-visua...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-visualization-api.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-visualization-api/90c16143-123a-44b5-a1ae-0de437433335%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
The internal development version can't be rolled out to update the 'upcoming' version until I resolve these other issues. I'll set aside some time this weekend to try to finish it up.
--
You received this message because you are subscribed to the Google Groups "Google Visualization API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-visualizati...@googlegroups.com.
To post to this group, send email to google-visua...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-visualization-api.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-visualization-api/06e7f59e-3415-4d75-a5ea-668bea3d2e8c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.