javascript - Extjs, Chrome Extension and Content Security Policy -


i'm trying develop google chrome extension ext js 5.1.0.

when trying add ext-all.js default_popup html discovered google chrome extensions can no longer use dynamic script evaluation techniques eval() or new function(), or pass strings of js code functions cause eval() used, settimeout().

so during setup google chrome debugger returns following error:

refused evaluate string javascript because 'unsafe-eval' not allowed source of script in following content security policy directive: "script-src 'self' chrome-extension-resource:".
ext-all-debug.js:8742 ext.classmanager.ext.apply.getinstantiator

this faulty piece of code 

        getinstantiator: function(length) {             var instantiators = this.instantiators,                 instantiator, i, args;             instantiator = instantiators[length];             if (!instantiator) {                 = length;                 args = [];                 (i = 0; < length; i++) {                     args.push('a[' + + ']');                 }                  // problem here                  instantiator = instantiators[length] = new function('c','a','return new c(' + args.join(',') + ')');                  instantiator.name = "ext.create" + length;             }             return instantiator;         },

i have found solution changing content_security_policy 

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"

adding line manifest.json permits dynamic script evaluation techniques (but dangerous).

so, preserve standard google chrome security permission. there way workaround problem ?

you take @ sandbox approach outlined here: build apps sencha ext js

it's chrome apps, principles still apply. can create sandboxed page sandbox property in manifest, embed in page, , safely communicate using postmessage. sandboxed page can't run elevated-privilege chrome apis, making eval safer use.

again, there's aptly named article in chrome docs: using eval in chrome extensions. safely.


Comments

Post a Comment

Popular posts from this blog

javascript - AngularJS custom datepicker directive -

i make custom datepicker directive custom template. but have no idea how start building it... how include date data directive? i appreciate guide or give me advice work on more precisely. it might you! follow below steps html code sample: <label>birth date</label> <input type="text" ng-model="birthdate" date-options="dateoptions" custom-datepicker/> <hr/> <pre>birthdate = {{birthdate}}</pre> <script type="text/ng-template" id="custom-datepicker.html"> <div class="enhanced-datepicker"> <div class="proxied-field-wrap"> <input type="text" ui-date-format="yy-mm-dd" ng-model="ngmodel" ui-date="dateoptions"/> </div> <label> <button class="btn" type="button"><i class="icon-calendar"></i>
Read more

javascript - jQuery date picker - Disable dates after the selection from the first date picker -

<!doctype html> <html lang="en"> <head> <meta charset="utf-8"> <title>jquery ui datepicker - default functionality</title> <link rel="stylesheet" href="//code.jquery.com/ui/1.11.4/themes/smoothness/jquery-ui.css"> <script src="//code.jquery.com/jquery-1.10.2.js"></script> <script src="//code.jquery.com/ui/1.11.4/jquery-ui.js"></script> <link rel="stylesheet" href="/resources/demos/style.css"> <script> $(function () { $("#datepicker1").datepicker(); }); </script> <script> $(function () { $("#datepicker2").datepicker(); }); </script> </head> <body> <p>date 1: <input type="text" id="datepicker1"></p> <p>date 2: <input type="t
Read more