Is eval strictly necessary?

[JudahGabriel]

Is eval strictly necessary in this library?

This library uses eval("(-1).toFixed(-1);") to trigger an exception and determine the browser from the exception message length.

What's the problem? Most secure web apps have a Content Security Policy (CSP) that prevents eval. Indeed, at many big corporations, such as GitHub and Microsoft, CSPs that prevent eval is required. Try it now in your browser: hit F12 and in the console, paste eval("(-1).toFixed(-1);") - you'll see GitHub prevents it:

Looking at the code closer, the real exception is calling toFixed(-1). And this library is using the exception message length to determine the browser. It's not at all clear why eval is needed at all. Is it?

[Joe12387]

Hi there,

Shortly after I added the new (-1).toFixed(-1) method, someone requested via a PR that this be encapsulated, I don't recall why. If this is causing issues for you, feel free to submit a PR reversing it.

Thanks,
Joe

[coder0107git]

Seems like it was added in #45 to stop bundlers from optimizing it away.

[JudahGabriel]

Interesting. Perhaps we can avoid this by doing a parseInt call on the strings, then passing those to toFixed. That should also prevent bundlers from optimizing it away:

function feid (): number {
   let toFixedEngineID = 0;
   let neg = parseInt("-1");
   try {
      neg.toFixed(neg);
   } catch (e) {
     toFixedEngineID = (e as Error).message.length 
   }
   return toFixedEngineID
}

To know for sure if this works, we'd need to try it on detectIncognito's bundler. (Does it use one?)

[Joe12387]

@JudahGabriel I committed that snippet, we'll see if that causes any issues. If it doesn't, I'll push it to npm.