Is there anything special need to get unsafe-eval working?

Forge Forge UI Kit and Custom UI
1

I’m trying to get web assembly to load in my custom UI app, and I have the following in my manifest:

permissions:
scopes:
- read:jira-work
content:
styles:
- ‘unsafe-inline’
scripts:
- ‘unsafe-eval’

I’m still getting this error:
WebAssembly.instantiate(): Refused to compile or instantiate WebAssembly module because ‘unsafe-eval’ is not an allowed source of script in the following Content Security Policy directive: “script-src ‘self’ https://forge.cdn.prod.atlassian-dev.net”).

2

I don’t think that Forge will allow unsafe-eval. You’ll want to use JSON.parse or similar library.

/Daniel

1 Like
3

Thanks @danielwester - yeah I can’t tell if it is meant to work or not. It is documented in the Permissions page for the Forge manifest here https://developer.atlassian.com/platform/forge/manifest-reference/permissions/#content-permissions

And this ticket leads me to believe it is supported and could be improved: [FRGE-1030] - Ecosystem Jira

@AdamMoore might be able to comment.

4

Hi @BenHogan

I’ve created a really simple Custom UI App, the content is in the following screenshot:

Screenshot 2023-08-22 at 11.48.53 AM
Screenshot 2023-08-22 at 11.48.53 AM2559×1133 379 KB

Initially that application was failing with the error message:

CompileError: WebAssembly.instantiateStreaming(): Refused to compile or instantiate WebAssembly module because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://forge.cdn.stg.atlassian-dev.net"

but after adding the following permission the application worked as expect (as seen in the previous screenshot):

permissions:
   content:
      scripts:
         - 'unsave-eval'

I’ve had to redeploy and upgrade my application after adding the permissions into the manifest.yml file so that the application is using the latest permissions:

forge deploy
forge instal --upgrade

Would you be able to confirm that you’ve done a redeploy and upgrade on your application?

If you’re still experiencing the problem, would you be able to provide a cut down version of your code so that I can replicate the problem?

5

Thanks @CameliaGao for the response!

I finally figured out the problem: I was using a web worker, and it has it’s own security context if not loaded using a blob. Switching my worker to use a blob allowed it to use the CSP from the main app.

Thanks so much for your help!

Ben

1 Like