JSON schema validation in chrome packaged app

Question

I am tring to use AJV JSON schema validator in my chrome app. But I am getting the error

EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' blob: filesystem: chrome-extension-resource:".

It happens during execution of

var validate = ajv.compile(schema);

As I understand AJV uses dynamic code generation and eval() to validate JSON which is forbidden by CSP.

Is there a way to use AJV in chrome apps?

Or is there some other JSON schema validator which could be used in chrome apps?

Answer 1

Encountered the same issue. Used jsonchema instead as a drop-in replacement. Worked ok for me.

Answer 2

I have recently implemented the option to precompile schemas into standalone modules with ajv-cli. In this way you can completely avoid using code generation and Function constructor, so you will simply comply with your CSP.

Although there are limitations compared with what can be done with Ajv itself, the majority of use cases are covered.

Answer 3

If some library that you want to use is incompatible with Chrome CSP, then you can use it inside a sandbox.

This is well documented, and has a concrete example and a whole dedicated article "Using eval in Chrome Extensions. Safely."

The downside is that you can't write code that uses both Chrome API and the library. You need to separate this and communicate between two scripts.