#15950 closed defect (fixed)
Chrome extensions manifest_version 2 problem (csp)
| Reported by: | viroroi | Owned by: | dylan |
|---|---|---|---|
| Priority: | undecided | Milestone: | 1.11 |
| Component: | Core | Version: | 1.8.0 |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: |
Description
Hi,
I was developing a chrome extension without problems with dojox mobile, building a single dojo.js file.
But now in chrome extension manifest_version 2 there has a new Content Security Policy (CSP) for genereting the extension. So, there are some instruccions not valid (new Function and Eval) in dojo.js built.
I have tried to create a sandbox in chrome extension manifest, but the same error.
Line 18: var A=new Function("return eval(arguments[0]);");
"Uncaught Error: Code generation from strings disallowed for this context"
I can not create chrome extensions from now. How can I solve it?
Thanks
Change History (8)
comment:1 Changed 6 years ago by
comment:2 Changed 6 years ago by
Seems to me there are basically 2 primary problems blocking this from working.
The first is http://bugs.dojotoolkit.org/browser/dojo/tags/release-1.8.3/dojo/dojo.js#L313
The second is http://bugs.dojotoolkit.org/browser/dojo/tags/release-1.8.3/dojo/_base/kernel.js#L110
If I comment these out, I'm able to get a very basic chrome extension w/ manifest v2 to run. However, I expect your mileage may vary; in particular, the second line of code pointed out above is responsible for defining dojo.eval, so if you rely on any code that in turn relies on that, you may be out of luck.
Monteslu and I are wondering if it'd be feasible to has-bracket these lines of code so that one can build an eval-less version of Dojo. Maybe call it has("evil")? ;)
comment:3 Changed 6 years ago by
I made the changes for a custom build of monteslu and my game engine. I called the has tests has("csp-restrictions").
It seems that declare has an offending line also: http://bugs.dojotoolkit.org/browser/dojo/tags/release-1.8.3/dojo/_base/declare.js#L6
comment:4 Changed 6 years ago by
Made some sample commits to a fork on my github. https://github.com/phated/dojo/commits/csp
comment:5 Changed 3 years ago by
| Component: | General → Core |
|---|---|
| Milestone: | tbd → 1.11 |
| Owner: | set to dylan |
| Status: | new → assigned |
| Summary: | Chrome extensions manifest_version 2 problem → Chrome extensions manifest_version 2 problem (csp) |
comment:6 Changed 3 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Verified this is a problem.
it's currently blocking me from adding some games to the chrome web store.
Any way to coerce the loader into not using evals?