detectEval() violates CSP when running in a Chrome extension environment #69
Comments
|
hmm, I'm not sure this is P1, since the "violation" doesn't really do anything other than cause an exception when we feature test "eval" a few lines later. The current state of the world, where we can't feature test CSP without causing an exception and scary "violation" message is just really broken. Adding even more Chrome-specific hacks is pretty unfortunate. The pragmatist in me is happy we are making development experience better by having one less exception on startup, but ultimately Chrome needs to give libraries (like Shadow DOM and observe-js) a real solution here. |
|
Seems like an easy fix that is worth doing though. |
|
yeah, i basically agree, just worried because there's no easy way to test it ... we've added hacks before like document.securityPolicy then the API goes away... seems like an endless bug tail. |
|
One thing I noticed: chrome.runtime check won't work -- it works in normal Chrome. So this would disable eval on all Chrome unless I'm missing something |
|
For Chrome extensions, can the CSP policy be set on a per-extension basis? https://developer.chrome.com/extensions/contentSecurityPolicy if so, we can't do a blanket check. This is unlike Chrome/Firefox OS Apps where (I think) the policy can't be changed. |
|
One last thought here: this page is for Chrome apps, but you may be able to use some of the techniques described here (such as sandboxing): https://developer.chrome.com/apps/contentSecurityPolicy Another idea is we could provide a flag like |
|
+1 to an explicit flag to prevent attempts to use eval. I think that's the On Thu, Sep 11, 2014 at 1:00 PM, John Messerly [email protected]
|
This fix for Chrome apps doesn't work for Chrome extensions because
chrome.app.runtimedoesn't exist in a Chrome extension context. Checking forchrome.runtimeinstead seems to handle both cases.The text was updated successfully, but these errors were encountered: