Opened 7 years ago

Closed 4 years ago

Last modified 3 years ago

#15950 closed defect (fixed)

Chrome extensions manifest_version 2 problem (csp)

Reported by: viroroi Owned by: dylan
Priority: undecided Milestone: 1.11
Component: Core Version: 1.8.0
Keywords: Cc:
Blocked By: Blocking:

Description

Hi,

I was developing a chrome extension without problems with dojox mobile, building a single dojo.js file.

But now in chrome extension manifest_version 2 there has a new Content Security Policy (CSP) for genereting the extension. So, there are some instruccions not valid (new Function and Eval) in dojo.js built.

I have tried to create a sandbox in chrome extension manifest, but the same error.

Line 18: var A=new Function("return eval(arguments[0]);");

"Uncaught Error: Code generation from strings disallowed for this context"

I can not create chrome extensions from now. How can I solve it?

Thanks

Change History (8)

comment:1 Changed 7 years ago by Luis Montes

Verified this is a problem.

it's currently blocking me from adding some games to the chrome web store.

Any way to coerce the loader into not using evals?

comment:2 Changed 7 years ago by Kenneth G. Franqueiro

Seems to me there are basically 2 primary problems blocking this from working.

The first is http://bugs.dojotoolkit.org/browser/dojo/tags/release-1.8.3/dojo/dojo.js#L313

The second is http://bugs.dojotoolkit.org/browser/dojo/tags/release-1.8.3/dojo/_base/kernel.js#L110

If I comment these out, I'm able to get a very basic chrome extension w/ manifest v2 to run. However, I expect your mileage may vary; in particular, the second line of code pointed out above is responsible for defining dojo.eval, so if you rely on any code that in turn relies on that, you may be out of luck.

Monteslu and I are wondering if it'd be feasible to has-bracket these lines of code so that one can build an eval-less version of Dojo. Maybe call it has("evil")? ;)

comment:3 Changed 7 years ago by phated

I made the changes for a custom build of monteslu and my game engine. I called the has tests has("csp-restrictions").

It seems that declare has an offending line also: http://bugs.dojotoolkit.org/browser/dojo/tags/release-1.8.3/dojo/_base/declare.js#L6

comment:4 Changed 7 years ago by phated

Made some sample commits to a fork on my github. https://github.com/phated/dojo/commits/csp

comment:5 Changed 4 years ago by dylan

Component: GeneralCore
Milestone: tbd1.11
Owner: set to dylan
Status: newassigned
Summary: Chrome extensions manifest_version 2 problemChrome extensions manifest_version 2 problem (csp)

comment:6 Changed 4 years ago by dylan

Resolution: fixed
Status: assignedclosed

comment:7 Changed 3 years ago by Dylan Schiemann <dylan@…>

In 98c00fc/dojo:

Error: Processor CommitTicketReference failed
Unsupported version control system "git": Can't find an appropriate component, maybe the corresponding plugin was not enabled? 

comment:8 Changed 3 years ago by Dylan Schiemann <dylan@…>

In 2466f45/dojo:

Error: Processor CommitTicketReference failed
Unsupported version control system "git": Can't find an appropriate component, maybe the corresponding plugin was not enabled? 
Note: See TracTickets for help on using tickets.