Support Basic non-Strict Content-Security Policy (CSP)

If I configure a page using the [OWASP recommended Basic non-Strict CSP Policy](https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html#basic-non-strict-csp-policy), i.e. for example by adding the following `<meta>` tag:

```html
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-ancestors 'self'; form-action 'self';">
```

I get an error similar to the following in Chrome due to `eval` / `Function` constructor usage:

```
    Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self'".

    at Function (<anonymous>)
    at compile (arquero.js?v=01b19c5c:2969:10)
    at expr (arquero.js?v=01b19c5c:2973:27)
    at Object.value (arquero.js?v=01b19c5c:8802:66)
    at parse_default (arquero.js?v=01b19c5c:8817:9)
    at derive (arquero.js?v=01b19c5c:9955:30)
    at ColumnTable.derive (arquero.js?v=01b19c5c:23547:12)
    at main.ts:12:4
```

It would be great to be able to use arquero without requiring `unsafe-eval` (even if it's a teeny bit slower 🐢). [Example stackblitz](https://stackblitz.com/edit/arquero-csp?file=index.html&terminal=dev).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Support Basic non-Strict Content-Security Policy (CSP) #361

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Support Basic non-Strict Content-Security Policy (CSP) #361

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions