Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive

[nop33]

Seems like when using this library in a browser environment where the CSP does not allow for 'unsafe-eval' it doesn't work.

EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".

We discovered that the source of the problem are these lines of binary-parser:

binary-parser/lib/binary_parser.ts

Lines 839 to 847 in d033245

	compile() {
	const importPath = "imports";
	const ctx = this.getContext(importPath);
	this.compiled = new Function(
	importPath,
	"TextDecoder",
	`return function (buffer, constructorFn) { ${ctx.code} };`,
	)(ctx.imports, TextDecoder);
	}

[keichi]

Thanks for pointing this out. Using Function()/eval() was an early design choice to optimize for performance. We currently do not have plans to remove this limitation.