eval() equivalent in Emscripten compiled js is unsafe and doesn't work when enabling CSP

[dinu-marina-typewise]

System information
tfjs-tflite 0.0.1-alpha.9

Describe the current behavior
When setting CSP policy, we get "Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script". We traced this to createNamedFunction() which seems to come from emscripten and uses new Function(). Seemingly it can be disabled at compilation.

Reference:
https://stackoverflow.com/a/64814360
https://github.com/emscripten-core/emscripten/blob/1bc49003b9a5310362d2e4a6334a62be9cd56dc2/src/settings.js#L1282

Describe the expected behavior
Don't use evil eval() :)

[dinu-marina-typewise]

@pyu10055 @mattsoulanille I could try to fix this myself, but I can't find how to compile the WASM libraries... I'm stuck at https://www.tensorflow.org/install/source (Docker Linux builds) but I'm at a loss how to run bazel to produce the wasm files. Could you lend a hand here? Thanks!

[mattsoulanille]

Thanks for the issue report, @dinu-marina-typewise. At the moment, the WASM binaries are built on Google's internal build infrastructure, so you won't be able to build them yourself. One of our goals for Q1 2023 is to open-source this part of the build process.

I agree we should not use eval (or its equivalents). As part of this open-sourcing, I'll try to remove any instances of this in code generated by Emscripten.

[warrenseine]

Hello @mattsoulanille, I'd love to hear that this is a solved issue, but I'm assuming it wasn't tackled yet. Can we expect to see this in a next release?

[gaikwadrahul8]

Hi, @dinu-marina-typewise

Apologize for the delayed response and Just to confirm, May I know have we taken care of this issue with @tensorflow/tfjs-tflite@0.0.1-alpha.10 version which published a month ago ? Thank you!

[github-actions]

This issue has been marked stale because it has no recent activity since 7 days. It will be closed if no further activity occurs. Thank you.

[github-actions]

This issue was closed due to lack of activity after being marked stale for past 7 days.

[google-ml-butler]

Are you satisfied with the resolution of your issue?
Yes
No

[milanJ]

Hi, @dinu-marina-typewise

Apologize for the delayed response and Just to confirm, May I know have we taken care of this issue with @tensorflow/tfjs-tflite@0.0.1-alpha.10 version which published a month ago ? Thank you!

Hi @gaikwadrahul8 ,

Sorry for the late reply. We switched to using TensorFlow JS. But we are now again experimenting with using tfjs-tflite. The issue is not fixed in @tensorflow/tfjs-tflite@0.0.1-alpha.10. eval() is still present in the code.