javascript - Extjs, Chrome Extension and Content Security Policy -


i'm trying develop google chrome extension ext js 5.1.0.

when trying add ext-all.js default_popup html discovered google chrome extensions can no longer use dynamic script evaluation techniques eval() or new function(), or pass strings of js code functions cause eval() used, settimeout().

so during setup google chrome debugger returns following error:

refused evaluate string javascript because 'unsafe-eval' not allowed source of script in following content security policy directive: "script-src 'self' chrome-extension-resource:".
ext-all-debug.js:8742 ext.classmanager.ext.apply.getinstantiator

this faulty piece of code

        getinstantiator: function(length) {             var instantiators = this.instantiators,                 instantiator, i, args;             instantiator = instantiators[length];             if (!instantiator) {                 = length;                 args = [];                 (i = 0; < length; i++) {                     args.push('a[' + + ']');                 }                  // problem here                  instantiator = instantiators[length] = new function('c','a','return new c(' + args.join(',') + ')');                  instantiator.name = "ext.create" + length;             }             return instantiator;         }, 

i have found solution changing content_security_policy

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'" 

adding line manifest.json permits dynamic script evaluation techniques (but dangerous).

so, preserve standard google chrome security permission. there way workaround problem ?

you take @ sandbox approach outlined here: build apps sencha ext js

it's chrome apps, principles still apply. can create sandboxed page sandbox property in manifest, embed in page, , safely communicate using postmessage. sandboxed page can't run elevated-privilege chrome apis, making eval safer use.

again, there's aptly named article in chrome docs: using eval in chrome extensions. safely.


Comments

Popular posts from this blog

Payment information shows nothing in one page checkout page magento -

tcpdump - How to check if server received packet (acknowledged) -