-
Type: Bug
-
Resolution: Unresolved
-
Priority: Minor - P4
-
None
-
Affects Version/s: bson-4.0.0, bson-5.0.0, bson-6.0.0
-
Component/s: BSON
-
Labels:
What problem are you facing?
When using the module `bson` in a browser, it fails when the Content-Security Policy `unsafe-eval` (or 'wasm-unsafe-eval') is not enabled with the error:
`Refused to compile or instantiate WebAssembly module because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive`
This originates from https://github.com/mongodb/js-bson/blame/bc95ab4f994b179b3536c213f5d7198a9178182d/src/long.ts#L59
Since enabling 'wasm-unsafe-eval' or 'unsafe-eval' is not a good practice, it would be useful to somehow have an explicit opt-in to enable this optimization rather than rely on a try / catch that doesn't work to detect if the CSP allows for this code to be executed.
What driver and relevant dependency versions are you using?
I am using version 4.7.2, but it seems to originate in the rewrite in TS which introduced the wasm optimizations in 4.2.0
Steps to reproduce?
Import library in a website where the CSP directive does not enable unsafe-eval.