eval in chrome package app
UPDATE:
Since at least January 2013, Chrome now permits the unsafe-eval
Content Security Policy (CSP) directive, which allows eval
execution outside of a sandbox:
The policy against
eval()
and its relatives likesetTimeout(String)
,setInterval(String)
, andnew Function(String)
can be relaxed by adding'unsafe-eval'
to your policy
Add an appropriate CSP to you extension manifest, like:
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
The bug you refer to is now marked fixed
, and has been included since Chrome 22.
Prior to the introduction of 'unsafe-eval'
, there was no way to have the CSP of a manifest_version: 2
extension allow execution of arbitrary text as code. At the time, Google made it clear there was no way to remove this restriction (outside of sandboxing):
Inline JavaScript, as well as dangerous string-to-JavaScript methods like
eval
, will not be executed... There is no mechanism for relaxing the restriction against executing inline JavaScript. In particular, setting a script policy that includesunsafe-inline
will have no effect. This is intentional.
As mentioned above, this restriction can now be relaxed.
I suppose you are talking about the new packaged app (manifest version 2), right?
Sandboxes can be used in the new packaged apps, absolutely. Last week I just uploaded a sample which does exactly that: A window sends a message to a hidden sandboxed iframe, the iframe compiles a handlebar template (here it could use eval instead) and returns the compiled HTML to the hosting page, which shows the result.
You can also check this other sample, which does exactly what you want.
So, to directly answer your questions:
1) No, because of CSP restrictions. The only way to evaluate dynamic JavaScript in Chrome Packaged Apps is the sandboxed iframe. If that's not an option to your app, you could also send and evaluate the JavaScript content in your server and return only the results to the user (although this breaks the offline feature of Chrome Packaged Apps)
2) No, you can only use eval() in a sandboxed iframe.
You could try...
function evalMe(code){ var script = document.createElement('script'); script.innerText = code; document.querySelector('head').appendChild(script);}
This should create the same effect, unless they have disabled it as well, but from my knowledge this is fine. Of course if the script errors
you will not hear about it unless you do some wrapping of the string
to eval
e.g.
function myHandler(err){ // handle errors. }function evalMe(code){ var script = document.createElement('script'); var wrapper = '(function(){ try{ @@ }catch(err){ myHandler(err); } })()'; // Make sure the string has an ending semicolon code = code[code.length-1] === ';' ? code : code + ';'; script.innerText = wrapper.replace('@@', code); document.querySelector('head').appendChild(script);}
Alternately you could use the official mechanism
http://developer.chrome.com/beta/extensions/tabs.html#method-executeScript
However this would require you to have a background page and employ message passing between your app
page and the background page.
UPDATE: Working Method
You can create an eval
like method using an iframe and a base64
encoded dataURI
that handles message passing between the extension page and the <iframe>
. You can grab a working copy of the code on github. To use simply clone or download the repo, and install the 'client' dir
as an unpackaged extension in the chrome extension manager. The code driving the plugin resides in app.js
Use the iframeEval to test, the error notification is a little buggy but hey, the eval
works.
@appsillers In order to get your plugin working without any additional code, you could overwrite the eval
method on you extensions window
with the iframeEval
method in the code.