-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
eval() equivalent in Emscripten compiled js is unsafe and doesn't work when enabling CSP #7144
Comments
@pyu10055 @mattsoulanille I could try to fix this myself, but I can't find how to compile the WASM libraries... I'm stuck at https://www.tensorflow.org/install/source (Docker Linux builds) but I'm at a loss how to run bazel to produce the wasm files. Could you lend a hand here? Thanks! |
Thanks for the issue report, @dinu-marina-typewise. At the moment, the WASM binaries are built on Google's internal build infrastructure, so you won't be able to build them yourself. One of our goals for Q1 2023 is to open-source this part of the build process. I agree we should not use |
Hello @mattsoulanille, I'd love to hear that this is a solved issue, but I'm assuming it wasn't tackled yet. Can we expect to see this in a next release? |
Apologize for the delayed response and Just to confirm, May I know have we taken care of this issue with |
This issue has been marked stale because it has no recent activity since 7 days. It will be closed if no further activity occurs. Thank you. |
This issue was closed due to lack of activity after being marked stale for past 7 days. |
Hi @gaikwadrahul8 , Sorry for the late reply. We switched to using TensorFlow JS. But we are now again experimenting with using tfjs-tflite. The issue is not fixed in |
I'm also encountering this error. To fix this issue in my other WebAssembly files compiled with Emscripten, I've been using the -s NO_DYNAMIC_EXECUTION=1 flag. Is there any other solution that doesn't involve unsafe-eval? |
Hi @milanJ , @dinu-marina-typewise Just wondering, |
Hi @stevedj , No, we haven't resolved this. |
Hi @milanJ are you using Chrome Extension or a web app hosted in a web server? |
@stevedj We have a Kotlin Multiplatform library that is compiled to JS and is then used in Browser and Node.js environment. |
System information
tfjs-tflite 0.0.1-alpha.9
Describe the current behavior
When setting CSP policy, we get "Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script". We traced this to
createNamedFunction()
which seems to come from emscripten and usesnew Function()
. Seemingly it can be disabled at compilation.Reference:
https://stackoverflow.com/a/64814360
https://github.com/emscripten-core/emscripten/blob/1bc49003b9a5310362d2e4a6334a62be9cd56dc2/src/settings.js#L1282
Describe the expected behavior
Don't use evil eval() :)
The text was updated successfully, but these errors were encountered: