createNamedFunction in Emscripten compiled js is unsafe and doesn't work when enabling CSP

[stevedj]

System information
tfjs-tflite 0.0.1-alpha.10

Describe the current behavior
When setting CSP policy, we get "Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script". We traced this to createNamedFunction() which seems to come from emscripten and uses new Function(). Seemingly it can be disabled at compilation.

Reference:
https://stackoverflow.com/a/64814360
https://github.com/emscripten-core/emscripten/blob/1bc49003b9a5310362d2e4a6334a62be9cd56dc2/src/settings.js#L1282
#7144 (comment)

Describe the expected behavior
Please don't use this code
function createNamedFunction(name, body) {
name = makeLegalFunctionName(name);
return new Function("body","return function " + name + "() {\n" + ' "use strict";' + " return body.apply(this, arguments);\n" + "};\n")(body)
}

when compiling the wasm (if using emscripten), please use this
-s NO_DYNAMIC_EXECUTION=1

If the code has been open sourced, please give us the link so we can build it,
if not updating the library will be helpful for us,

Thank you so much

[stevedj]

I found a comment about using the old version of tfjs,
#7554 (comment)

But when I checked, it gave me an error in tflite_web_api_cc_simd_threaded.js (or tflite_web_api_cc_simd.js),
stating that
function createNamedFunction(name, body) {
name = makeLegalFunctionName(name);
return new Function("body","return function " + name + "() {\n" + ' "use strict";' + " return body.apply(this, arguments);\n" + "};\n")(body)
}
it seems it is using regenerator-runtime for polyfills.

maybe we can rebuild using NO_DYNAMIC_EXECUTION=1?

if anyone has a solution please let me know,
I'd love to hear what @mattsoulanille thinks about this.

Best regards
Steve

[shmishra99]

Hi @stevedj ,

I tested the workaround shared by @mattsoulanille in my Chrome extension, and it's not throwing any errors.

Could you tell us how you're using the ES2017 TFJS bundle in your code?

It would be helpful to know which specific part of the TFJS code is causing the problem. If possible, please provide a minimal reproducible code example.

Thank You!!

[stevedj]

Hi @shmishra99

Thank you for your reply,
I will create a Minimum Reproducible Code example,
I am using tfjs-tflite 0.0.1-alpha.10, and tried to load the tflite model,
but it is showing an error,

Please allow me some time to create the MRC,

Best regards
Steve

[stevedj]

Hi @shmishra99

Thank you for your patience,
Please find the Minimum Reproducible Code in this link

[shmishra99]

Hi @stevedj ,

I have tested the chrome-extension you shared. It seems that even after converting all used dependencies to ES2017, the issue persists with WASM dependencies. The error message indicates that the tflite_web_api_cc_simd_threaded.js file is not found, and the unsafe-eval directive in the Content Security Policy is causing the issue.

I think we need to use es2017 bundle for wasm dependencies as well. I will investigate more on this issue and update you soon.

Thank You!!

[stevedj]

Hi @shmishra99,

Thank you so much,
but in this comment, #7144 (comment)
@mattsoulanille 's comment indicates that we need to update the wasm and javascript generated by the Emscripten (in my opinion we need to update using -s NO_DYNAMIC_EXECUTION=1 flag)

Let me know your thoughts,

Thank you

[stevedj]

Hi @shmishra99,

please feel free to message me if there is anything I can do to clarify,

Thank you

[stevedj]

Hi @shmishra99

if you need any help investigating the issue, please feel free to inform me,
I will be here, and try your suggestion

Thank you

[shmishra99]

Sure @stevedj , we will investigate this issue further and give you an update soon.

[stevedj]

Hi @shmishra99
Thank you so much,
I appreciate it, if there is anything that I can do, I will be glad to help,

[stevedj]

Hi @shmishra99,
good day to you,
Is there any news regarding this issue? If not, an ETA would be helpful.