Reputation: 63
"eval" blocked by CSP using on page-mod's contentScript
Im trying to create an extension that will interacts with github. I need to use "eval" in my code but im keep getting blocked by the page CSP. This is a simplified version of my code:
const pageMod = require("sdk/page-mod").PageMod;
var contentScript = 'try {eval("console.log(\'hello from eval\')");} catch (e) {console.log("page mode " + e.message);}';
pageMod({
include: "*",
contentScript: contentScript ,
contentScriptWhen: "start"
});
Can someone help me solve the problem?
Upvotes: 2
Views: 789
Answers (1)
Reputation: 25322
This because the Content Security Policy: https://developer.mozilla.org/en-US/docs/Security/CSP/CSP_policy_directives
Usually 99% of the time, the usage of eval can be replaced with something else. If you give the context (why you need the eval), we can try to suggest an alternative.
That's the easy way.
The hard way, is intercept the response from github, to remove that header, using the observer notification "http-on-examine-response", here there is a full example but you can probably have a simplified version of it.
Personally, I would try to avoid using eval, it's usually easier.
Upvotes: 1
Related Questions
- Call to eval() blocked by CSP with Selenium IDE
- CSP: How to debug violation: eval: "script-sample: var KERNEL = ..."
- Error: Content Security Policy: The page’s settings blocked the loading of a resource
- Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”) firefox webextensions
- Source: call to eval() or related function blocked by CSP
- Content Security Policy issue when using JS files with firefox-addon
- Firefox os privileged app error : call to eval() blocked by csp at jquery 1.9.1
- Content Security Policy on Mozilla extension
- content privacy policy refuses appending script to DOM
- CSP and browser extensions