1

When bundling web app using webpack, i need to register some 3rd party scripts into global(i.e. window) namespace, script-loader seems designed for this Webpack - How to load non module scripts into global scope | window.

However, there is a big downside of it, the generated code uses eval.call which is not compliant with most CSP security guidelines and thus strongly discouraged to use it in production. Is there any alternative webpack loader that i can use to achieve the same purpose without XSS vulnerabilities?

Also the GitHub project https://github.com/webpack-contrib/script-loader is already archived

Allen
  • 4,431
  • 2
  • 27
  • 39

1 Answers1

0

So far this looks like the best solution, but it's tedious:

https://webpack.js.org/loaders/imports-loader/

Basically you need to know what side-effect each script is performing, and imports-loader gives you ways to make them happen. For example, you can wrap the script in a function call that binds this to the global window object.

It would be nice if we could somehow just have the scripts run in order, but I also see how that would be difficult in Webpack without eval, which is the problem.

Michael Pearson
  • 584
  • 1
  • 4
  • 10