javascript - Extjs, Chrome Extension and Content Security Policy -
i'm trying develop google chrome extension ext js 5.1.0.
when trying add ext-all.js default_popup html discovered google chrome extensions can no longer use dynamic script evaluation techniques eval() or new function(), or pass strings of js code functions cause eval() used, settimeout().
so during setup google chrome debugger returns following error:
refused evaluate string javascript because 'unsafe-eval' not allowed source of script in following content security policy directive: "script-src 'self' chrome-extension-resource:".
ext-all-debug.js:8742 ext.classmanager.ext.apply.getinstantiator
this faulty piece of code
getinstantiator: function(length) { var instantiators = this.instantiators, instantiator, i, args; instantiator = instantiators[length]; if (!instantiator) { = length; args = []; (i = 0; < length; i++) { args.push('a[' + + ']'); } // problem here instantiator = instantiators[length] = new function('c','a','return new c(' + args.join(',') + ')'); instantiator.name = "ext.create" + length; } return instantiator; },
i have found solution changing content_security_policy
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
adding line manifest.json
permits dynamic script evaluation techniques (but dangerous).
so, preserve standard google chrome security permission. there way workaround problem ?
you take @ sandbox
approach outlined here: build apps sencha ext js
it's chrome apps, principles still apply. can create sandboxed page sandbox
property in manifest, embed in page, , safely communicate using postmessage
. sandboxed page can't run elevated-privilege chrome apis, making eval safer use.
again, there's aptly named article in chrome docs: using eval in chrome extensions. safely.
Comments
Post a Comment