Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

createNamedFunction in Emscripten compiled js is unsafe and doesn't work when enabling CSP #8462

Open
stevedj opened this issue Dec 4, 2024 · 18 comments
Assignees
Labels
type:bug Something isn't working

Comments

@stevedj
Copy link

stevedj commented Dec 4, 2024

System information
tfjs-tflite 0.0.1-alpha.10

Describe the current behavior
When setting CSP policy, we get "Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script". We traced this to createNamedFunction() which seems to come from emscripten and uses new Function(). Seemingly it can be disabled at compilation.

Reference:
https://stackoverflow.com/a/64814360
https://github.com/emscripten-core/emscripten/blob/1bc49003b9a5310362d2e4a6334a62be9cd56dc2/src/settings.js#L1282
#7144 (comment)

Describe the expected behavior
Please don't use this code
function createNamedFunction(name, body) {
name = makeLegalFunctionName(name);
return new Function("body","return function " + name + "() {\n" + ' "use strict";' + " return body.apply(this, arguments);\n" + "};\n")(body)
}

when compiling the wasm (if using emscripten), please use this
-s NO_DYNAMIC_EXECUTION=1

If the code has been open sourced, please give us the link so we can build it,
if not updating the library will be helpful for us,

Thank you so much

@stevedj stevedj added the type:bug Something isn't working label Dec 4, 2024
@stevedj
Copy link
Author

stevedj commented Dec 5, 2024

I found a comment about using the old version of tfjs,
#7554 (comment)

But when I checked, it gave me an error in tflite_web_api_cc_simd_threaded.js (or tflite_web_api_cc_simd.js),
stating that
function createNamedFunction(name, body) {
name = makeLegalFunctionName(name);
return new Function("body","return function " + name + "() {\n" + ' "use strict";' + " return body.apply(this, arguments);\n" + "};\n")(body)
}
it seems it is using regenerator-runtime for polyfills.

maybe we can rebuild using NO_DYNAMIC_EXECUTION=1?

if anyone has a solution please let me know,
I'd love to hear what @mattsoulanille thinks about this.

Best regards
Steve

@shmishra99 shmishra99 self-assigned this Dec 5, 2024
@shmishra99
Copy link
Contributor

Hi @stevedj ,

I tested the workaround shared by @mattsoulanille in my Chrome extension, and it's not throwing any errors.

Could you tell us how you're using the ES2017 TFJS bundle in your code?

It would be helpful to know which specific part of the TFJS code is causing the problem. If possible, please provide a minimal reproducible code example.

Thank You!!

@stevedj
Copy link
Author

stevedj commented Dec 5, 2024

Hi @shmishra99

Thank you for your reply,
I will create a Minimum Reproducible Code example,
I am using tfjs-tflite 0.0.1-alpha.10, and tried to load the tflite model,
but it is showing an error,

Please allow me some time to create the MRC,

Best regards
Steve

@stevedj
Copy link
Author

stevedj commented Dec 5, 2024

Hi @shmishra99

Thank you for your patience,
Please find the Minimum Reproducible Code in this link

@shmishra99
Copy link
Contributor

Hi @stevedj ,

I have tested the chrome-extension you shared. It seems that even after converting all used dependencies to ES2017, the issue persists with WASM dependencies. The error message indicates that the tflite_web_api_cc_simd_threaded.js file is not found, and the unsafe-eval directive in the Content Security Policy is causing the issue.

I think we need to use es2017 bundle for wasm dependencies as well. I will investigate more on this issue and update you soon.

Thank You!!

@stevedj
Copy link
Author

stevedj commented Dec 6, 2024

Hi @shmishra99,

Thank you so much,
but in this comment, #7144 (comment)
@mattsoulanille 's comment indicates that we need to update the wasm and javascript generated by the Emscripten (in my opinion we need to update using -s NO_DYNAMIC_EXECUTION=1 flag)

Let me know your thoughts,

Thank you

@stevedj
Copy link
Author

stevedj commented Dec 6, 2024

Hi @shmishra99,

please feel free to message me if there is anything I can do to clarify,

Thank you

@stevedj
Copy link
Author

stevedj commented Dec 9, 2024

Hi @shmishra99

if you need any help investigating the issue, please feel free to inform me,
I will be here, and try your suggestion

Thank you

@shmishra99
Copy link
Contributor

Sure @stevedj , we will investigate this issue further and give you an update soon.

@stevedj
Copy link
Author

stevedj commented Dec 12, 2024

Hi @shmishra99
Thank you so much,
I appreciate it, if there is anything that I can do, I will be glad to help,

@stevedj
Copy link
Author

stevedj commented Dec 16, 2024

Hi @shmishra99,
good day to you,
Is there any news regarding this issue? If not, an ETA would be helpful.

@stevedj
Copy link
Author

stevedj commented Dec 16, 2024

Hi @shmishra99

I agree that the issue persists when we are using the ES2017 bundle,
and I believe it is because of the WASM Dependencies, is there anything that I can do to make the WASM dependencies work (maybe building the tfjs-tflite code mentioned by @mattsoulanille)?

Thanks for the issue report, @dinu-marina-typewise. At the moment, the WASM binaries are built on Google's internal build infrastructure, so you won't be able to build them yourself. One of our goals for Q1 2023 is to open-source this part of the build process.

Hi @stevedj ,

I have tested the chrome-extension you shared. It seems that even after converting all used dependencies to ES2017, the issue persists with WASM dependencies. The error message indicates that the tflite_web_api_cc_simd_threaded.js file is not found, and the unsafe-eval directive in the Content Security Policy is causing the issue.

I think we need to use es2017 bundle for wasm dependencies as well. I will investigate more on this issue and update you soon.

Thank You!!

@stevedj
Copy link
Author

stevedj commented Dec 17, 2024

Hi @shmishra99

Just to clarify, did you get this error?
image

the error is showing on the Chrome Extension.

it is fetching correctly but the unsafe-eval prevents the execution
image

Is there any solution to make it work on Chrome Extension?
because we need the tflite works on the Chrome Extension,

Thank you!

@shmishra99
Copy link
Contributor

Hi @stevedj ,

I'm also encountering the same error. I can't provide an ETA for a resolution yet, but I'll discuss this internally and update you soon.

Thank You!!

@stevedj
Copy link
Author

stevedj commented Dec 18, 2024

Hi @shmishra99
Thank you so much,
I will wait for any news after your internal discussion,

I have tried to use tensorflow.js with the Coco SSD model,
but it gave me the same error
image

The Tensor Flow Lite library works fine (I guess the TF.js will also work fine) when I am using the Visual Studio Live Server Extension

I hope the above information helps,
and if you need to clarify anything please feel free to message me,

Thank you!

@stevedj
Copy link
Author

stevedj commented Jan 13, 2025

Hi @shmishra99 ,

I hope you had a good holiday,
I would like to follow up on our previous discussion regarding loading TFLite models within Chrome Extension. Are there any alternative approaches to consider?

Thank you!

@shmishra99
Copy link
Contributor

Hi @stevedj ,

I hope you had a relaxing holiday as well. I apologize for the delay in my response. I've investigated the issue further, but unfortunately, I haven't been able to find a solution yet. I will prioritize this issue and provide an update soon.

Thank You!!

@stevedj
Copy link
Author

stevedj commented Jan 14, 2025

Hi @shmishra99

Thank you for your reply, no worries, I understand. Prioritizing this will help us a lot.
I really appreciate your help, I will keep on investigating, and write here if I find anything,

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type:bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants