From 3cd169a650abdfe284b813cd0cdf944c3672af35 Mon Sep 17 00:00:00 2001
From: David Mehren <git@herrmehren.de>
Date: Sun, 6 Jun 2021 18:25:55 +0200
Subject: [PATCH 1/2] Remove unsafe-eval from default CSP

As script-loader was removed in the previous commits,
we can finally tighten up security.

Signed-off-by: David Mehren <git@herrmehren.de>
---
 lib/csp.js | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/csp.js b/lib/csp.js
index 08efdd795..74404413c 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -5,8 +5,7 @@ const CspStrategy = {}
 
 const defaultDirectives = {
   defaultSrc: ['\'self\''],
-  scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', '\'unsafe-eval\''],
-  // ^ TODO: Remove unsafe-eval - webpack script-loader issues https://github.com/hackmdio/codimd/issues/594
+  scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net'],
   imgSrc: ['*'],
   styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views
   fontSrc: ['\'self\'', 'data:', 'https://public.slidesharecdn.com'],

From f86fae3bd768db252887337f3ea89a920caeeee3 Mon Sep 17 00:00:00 2001
From: David Mehren <git@herrmehren.de>
Date: Sun, 6 Jun 2021 21:08:26 +0200
Subject: [PATCH 2/2] Don't use eval-based source maps

Signed-off-by: David Mehren <git@herrmehren.de>
---
 webpack.dev.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/webpack.dev.js b/webpack.dev.js
index 7c7edb614..3b0293d69 100644
--- a/webpack.dev.js
+++ b/webpack.dev.js
@@ -6,9 +6,9 @@ module.exports = [
   // merge common config
   merge(common, {
     mode: 'development',
-    devtool: 'eval-cheap-module-source-map'
+    devtool: 'cheap-module-source-map'
   }),
   merge(htmlexport, {
     mode: 'development',
-    devtool: 'eval-cheap-module-source-map'
+    devtool: 'cheap-module-source-map'
   })]