remove unsafe-eval from CSP

cfg/conf.sample.php

@@ -87,7 +87,7 @@ languageselection = false
 ;   async functions and display an error if not and for Chrome to enable
 ;   webassembly support (used for zlib compression). You can remove it if Chrome
 ;   doesn't need to be supported and old browsers don't need to be warned.
-; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval' resource:; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"
+; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' resource:; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"
 
 ; stay compatible with PrivateBin Alpha 0.19, less secure
 ; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of

js/zlib-1.2.11.js

@@ -1,6 +1,6 @@
 'use strict';
 
-(function() {
+(function () {
     let ret;
 
     async function initialize() {
@@ -23,16 +23,7 @@
             _abort: errno => { console.error(`Error: ${errno}`) },
             _grow: () => { },
         };
-
+        const ins = await WebAssembly.instantiateStreaming(fetch('js/zlib-1.2.11.wasm'), { env });
-        let buff;
-        if (typeof fetch === 'undefined') {
-            buff = fs.readFileSync('zlib-1.2.11.wasm');
-        } else {
-            const resp = await fetch('js/zlib-1.2.11.wasm');
-            buff = await resp.arrayBuffer();
-        }
-        const module = await WebAssembly.compile(buff);
-        const ins = await WebAssembly.instantiate(module, { env });
 
         const srcPtr = ins.exports._malloc(CHUNK_SIZE);
         const dstPtr = ins.exports._malloc(CHUNK_SIZE);
@@ -116,28 +107,28 @@
         }
 
         ret = {
-                inflate(rawDeflateBuffer) {
+            inflate(rawDeflateBuffer) {
-                    const rawInf = new RawInf();
+                const rawInf = new RawInf();
-                    for (let offset = 0; offset < rawDeflateBuffer.length; offset += CHUNK_SIZE) {
+                for (let offset = 0; offset < rawDeflateBuffer.length; offset += CHUNK_SIZE) {
-                        const end = Math.min(offset + CHUNK_SIZE, rawDeflateBuffer.length);
+                    const end = Math.min(offset + CHUNK_SIZE, rawDeflateBuffer.length);
-                        const chunk = rawDeflateBuffer.subarray(offset, end);
+                    const chunk = rawDeflateBuffer.subarray(offset, end);
-                        rawInf.inflate(chunk);
+                    rawInf.inflate(chunk);
-                    }
+                }
-                    const ret = rawInf.getBuffer();
+                const ret = rawInf.getBuffer();
-                    rawInf.destroy();
+                rawInf.destroy();
-                    return ret;
+                return ret;
-                },
+            },
-                deflate(rawInflateBuffer) {
+            deflate(rawInflateBuffer) {
-                    const rawDef = new RawDef();
+                const rawDef = new RawDef();
-                    for (let offset = 0; offset < rawInflateBuffer.length; offset += CHUNK_SIZE) {
+                for (let offset = 0; offset < rawInflateBuffer.length; offset += CHUNK_SIZE) {
-                        const end = Math.min(offset + CHUNK_SIZE, rawInflateBuffer.length);
+                    const end = Math.min(offset + CHUNK_SIZE, rawInflateBuffer.length);
-                        const chunk = rawInflateBuffer.subarray(offset, end);
+                    const chunk = rawInflateBuffer.subarray(offset, end);
-                        rawDef.deflate(chunk, rawInflateBuffer.length <= offset + CHUNK_SIZE);
+                    rawDef.deflate(chunk, rawInflateBuffer.length <= offset + CHUNK_SIZE);
-                    }
+                }
-                    const ret = rawDef.getBuffer();
+                const ret = rawDef.getBuffer();
-                    rawDef.destroy();
+                rawDef.destroy();
-                    return ret;
+                return ret;
-                },
+            },
         }
 
         return ret;

lib/Configuration.php

@@ -54,7 +54,7 @@ class Configuration
             'urlshortener'             => '',
             'qrcode'                   => true,
             'icon'                     => 'identicon',
-            'cspheader'                => 'default-src \'none\'; base-uri \'self\'; form-action \'none\'; manifest-src \'self\'; connect-src * blob:; script-src \'self\' \'unsafe-eval\' resource:; style-src \'self\'; font-src \'self\'; img-src \'self\' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads',
+            'cspheader'                => 'default-src \'none\'; base-uri \'self\'; form-action \'none\'; manifest-src \'self\'; connect-src * blob:; script-src \'self\' resource:; style-src \'self\'; font-src \'self\'; img-src \'self\' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads',
             'zerobincompatibility'     => false,
             'httpwarning'              => true,
             'compression'              => 'zlib',

tpl/bootstrap.php

@@ -54,7 +54,7 @@ if ($ZEROBINCOMPATIBILITY) :
 <?php
 endif;
 ?>
-		<script type="text/javascript" data-cfasync="false" src="js/zlib-1.2.11.js" integrity="sha512-Yey/0yoaVmSbqMEyyff3DIu8kCPwpHvHf7tY1AuZ1lrX9NPCMg87PwzngMi+VNbe4ilCApmePeuKT869RTcyCQ==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/zlib-1.2.11.js" integrity="sha512-Ji/WNgLpfd+sJgYjJv67Tjs4aYeMVrMeYIgCp5VU+EB8INzpfilh0ptjBHa3xem8tLCMROgJR10ilK3saci2YA==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/base-x-3.0.7.js" integrity="sha512-/Bi1AJIP0TtxEB+Jh6Hk809H1G7vn4iJV80qagslf0+Hm0UjUi1s3qNrn1kZULjzUYuaf6ck0ndLGJ7MxWLmgQ==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/rawinflate-0.3.js" integrity="sha512-g8uelGgJW9A/Z1tB6Izxab++oj5kdD7B4qC7DHwZkB6DGMXKyzx7v5mvap2HXueI2IIn08YlRYM56jwWdm2ucQ==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/bootstrap-3.3.7.js" integrity="sha512-iztkobsvnjKfAtTNdHkGVjAYTrrtlC7mGp/54c40wowO7LhURYl3gVzzcEqGl/qKXQltJ2HwMrdLcNUdo+N/RQ==" crossorigin="anonymous"></script>

tpl/page.php

@@ -33,7 +33,7 @@ if ($ZEROBINCOMPATIBILITY):
 <?php
 endif;
 ?>
-		<script type="text/javascript" data-cfasync="false" src="js/zlib-1.2.11.js" integrity="sha512-Yey/0yoaVmSbqMEyyff3DIu8kCPwpHvHf7tY1AuZ1lrX9NPCMg87PwzngMi+VNbe4ilCApmePeuKT869RTcyCQ==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/zlib-1.2.11.js" integrity="sha512-Ji/WNgLpfd+sJgYjJv67Tjs4aYeMVrMeYIgCp5VU+EB8INzpfilh0ptjBHa3xem8tLCMROgJR10ilK3saci2YA==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/base-x-3.0.7.js" integrity="sha512-/Bi1AJIP0TtxEB+Jh6Hk809H1G7vn4iJV80qagslf0+Hm0UjUi1s3qNrn1kZULjzUYuaf6ck0ndLGJ7MxWLmgQ==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/rawinflate-0.3.js" integrity="sha512-g8uelGgJW9A/Z1tB6Izxab++oj5kdD7B4qC7DHwZkB6DGMXKyzx7v5mvap2HXueI2IIn08YlRYM56jwWdm2ucQ==" crossorigin="anonymous"></script>
 <?php