Uploaded image for project: 'Nuxeo Elements'
  1. Nuxeo Elements
  2. ELEMENTS-1682

Ensure JS arrow function used in nuxeo-filter works when expressions eval is disabled

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 3.0.2
    • Fix Version/s: None
    • Component/s: Filters
    • Tags:
    • Backlog priority:
      850
    • Sprint:
      UI - 2023-12, UI - 2024-02, UI COOLDOWN - 2023-12
    • Story Points:
      5

      Description

      If using a stricter CSP (removing unsafe-eval and unsafe-inline), org.nuxeo.web.ui.expressions.eval must be set to false. However, doing so causes the usage of the arrow function '=>' in nuxeo-filter expressions to trigger a SyntaxError in the console and fail the condition check.

      Steps to Reproduce:

      1. Set the following CSP override (via XML extension or configuration template):

      <require>org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService.defaultContrib</require>
<extension target="org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService" point="responseHeaders">
   <header name="Content-Security-Policy">default-src 'self'; script-src 'self' data: *; style-src 'self' 'unsafe-inline'; img-src 'self' data: www.nuxeo.com; font-src * data:; media-src 'self'; frame-src 'self'; frame-ancestors 'self'; object-src 'none';</header>
</extension>

<extension target="org.nuxeo.runtime.ConfigurationService" point="configuration">
   <property name="org.nuxeo.web.ui.expressions.eval">false</property>
</extension>

      2. Configure a slot contribution (in the custom bundle .HTML file) including a filter that has an expression using the JS arrow function. For example, the following displays the Permissions tab if the Document has "Folderish" in its facets:

      <nuxeo-slot-content name="documentPermissionsItem" slot="DOCUMENT_VIEWS_ITEMS" order="20">
  <template>
    <nuxeo-filter document="[[document]]" expression="document.facets.some(f => f === 'Folderish')">
      <template>
        <nuxeo-page-item name="permissions" label="browser.permissions"></nuxeo-page-item>
      </template>
    </nuxeo-filter>
  </template>
</nuxeo-slot-content>

      3. Log in to Web UI and navigate to a Document (attempting to interpret the expression used in the nuxeo-filter element).

      Expected behavior: the expression is correctly interpreted and evaluates.

      Actual behavior: The following error is seen in the browser console:

      main.bundle.js:4493 SyntaxError: Unexpected token (1:47) in <nuxeo-filter> expression "!document.isVersion && document.facets.some(f => f !== 'Folderish')"

        Attachments

          Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. WEBUI-1496 Remove usage of 'unsafe-eval' from CSP

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • In Progress

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 4 days, 4 hours
                  4d 4h