eval in chrome package app

UPDATE:

Since at least January 2013, Chrome now permits the unsafe-eval Content Security Policy (CSP) directive, which allows eval execution outside of a sandbox:

The policy against eval() and its relatives like setTimeout(String), setInterval(String), and new Function(String) can be relaxed by adding 'unsafe-eval' to your policy

Add an appropriate CSP to you extension manifest, like:

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"

The bug you refer to is now marked fixed, and has been included since Chrome 22.

Prior to the introduction of 'unsafe-eval', there was no way to have the CSP of a manifest_version: 2 extension allow execution of arbitrary text as code. At the time, Google made it clear there was no way to remove this restriction (outside of sandboxing):

Inline JavaScript, as well as dangerous string-to-JavaScript methods like eval, will not be executed... There is no mechanism for relaxing the restriction against executing inline JavaScript. In particular, setting a script policy that includes unsafe-inline will have no effect. This is intentional.

As mentioned above, this restriction can now be relaxed.

I suppose you are talking about the new packaged app (manifest version 2), right?

Sandboxes can be used in the new packaged apps, absolutely. Last week I just uploaded a sample which does exactly that: A window sends a message to a hidden sandboxed iframe, the iframe compiles a handlebar template (here it could use eval instead) and returns the compiled HTML to the hosting page, which shows the result.

You can also check this other sample, which does exactly what you want.

So, to directly answer your questions:

1) No, because of CSP restrictions. The only way to evaluate dynamic JavaScript in Chrome Packaged Apps is the sandboxed iframe. If that's not an option to your app, you could also send and evaluate the JavaScript content in your server and return only the results to the user (although this breaks the offline feature of Chrome Packaged Apps)

2) No, you can only use eval() in a sandboxed iframe.

You could try...

function evalMe(code){    var script = document.createElement('script');    script.innerText = code;    document.querySelector('head').appendChild(script);}

This should create the same effect, unless they have disabled it as well, but from my knowledge this is fine. Of course if the script errors you will not hear about it unless you do some wrapping of the string to eval e.g.

function myHandler(err){    // handle errors.   }function evalMe(code){    var script = document.createElement('script');    var wrapper = '(function(){ try{ @@ }catch(err){ myHandler(err); } })()';    // Make sure the string has an ending semicolon    code = code[code.length-1] === ';' ? code : code + ';';    script.innerText = wrapper.replace('@@', code);    document.querySelector('head').appendChild(script);}

Alternately you could use the official mechanism

http://developer.chrome.com/beta/extensions/tabs.html#method-executeScript

However this would require you to have a background page and employ message passing between your app page and the background page.

UPDATE: Working Method

You can create an eval like method using an iframe and a base64 encoded dataURI that handles message passing between the extension page and the <iframe>. You can grab a working copy of the code on github. To use simply clone or download the repo, and install the 'client' dir as an unpackaged extension in the chrome extension manager. The code driving the plugin resides in app.js

Use the iframeEval to test, the error notification is a little buggy but hey, the eval works.

@appsillers In order to get your plugin working without any additional code, you could overwrite the eval method on you extensions window with the iframeEval method in the code.