Reputation: 1473
How to remove unsafe-eval from chrome extension's content_security_policy
I have removed all usages of eval and and new Function from a legacy chrome extension, that I am mantaining. How should I update the content_security_policy section in my manifest.json?
Currently it looks like this:
{
"content_security_policy": "script-src 'self' 'unsafe-eval' https://app.xyz.com; object-src 'self'"
}
If I understand the CSP in chrome extension correctly, after I removed all eval and new Function calls from the extension code I may remove the unsafe-eval from the manifest.json
Upvotes: 3
Views: 2637
Answers (1)
Reputation: 4825
Evaland related functions are disabled. [But,] the policy againsteval()and its relativenew Function(String)can be relaxed by adding'unsafe-eval'to your policy
This means that code using eval and new Function will only work if you have
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
in your manifest.
Try taking this line out of your manifest and running your extension. If everything still works as expected, then you are safe to remove this policy from your manifest, as you have removed all disabled functions correctly.
Note: you must remove all the necessary functions related to eval (as described here).
Code like the following does not work:
window.setTimeout("alert('hi')", 10);
window.setInterval("alert('hi')", 10);
Upvotes: 2
Related Questions
- How do I return the response from an asynchronous call?
- How can I remove a specific item from an array in JavaScript?
- Remove empty elements from an array in Javascript
- How to manually send HTTP POST requests from Firefox or Chrome browser
- How do I remove a property from a JavaScript object?
- Remove duplicate values from JS array
- What is JSONP, and why was it created?
- Remove blue border from css custom-styled button in Chrome