pdfkit fails with Content-Security-Policy enabled

[martynasma]

Bug Report

Hey from amCharts. We're using pdfkit (indirectly via pdfmake) to export charts to PDF in our flagship dataviz lib, and running into a bit of an issue with security-conscious users.

Description of the problem

pdfkit fails with a critical security error if the page has Content-Security-Policy enabled. E.g.:

Header add Content-Security-Policy "script-src 'self'"

The above header prevents in-line script creation, which is a reasonable security measure, preventing any unauthorized JS code to be activated on the we page.

It originates in Pointer function which for some reason is using eval'ed code to generate function references:

The function comes from an old version of restructure used by one of pdfkit's dependencies - fontkit.

The issue has already been addressed in restructure, so it's just a matter of upgrading the whole chain of dependencies. Taking into account that all three libs are maintained by foliojs, it shouldn't be that hard? ;)

Live examples

With CSP enabled (failing, see browser console):
http://test.amcharts.com/demo/pdfkit/with-CSP/

Without CSP (working fine)
http://test.amcharts.com/demo/pdfkit/without-CSP/

Your environment

• pdfkit version: 0.11

[liborm85]

Version of restructure is defined in fontkit. I have maintainer access to pdfkit and restructure. But no to fontkit... therefore, the solution is problematic.

@devongovett fontkit requires an update.

[andersem]

Seems the isuse was fixed in fontkit 1.8.1? :)

Edit: I read the commit message, but didn't see the diff. restructure was not bumped in this release.

[liborm85]

No, in fontkit version 1.8.1 is not fixed.

[maiermic]

As far as I understand, this has to be fixed in fontkit, but no issue is linked. Does the issue still need to be created?

The issue has already been addressed in restructure, so it's just a matter of upgrading the whole chain of dependencies.

@martynasma Which version of restructure fixes the issue? There is a PR to update restructure to v2. However, it seems that the repository is not maintained anymore. I'll contact @devongovett, who seems to be the only one with permissions to that repository.