科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>javascript - Can't use Raphael JS to draw a path in a Chrome extension popup because of security policy? - Stack Overflo

    javascript - Can't use Raphael JS to draw a path in a Chrome extension popup because of security policy? - Stack Overflo

    programmeradmin4浏览0评论

    If I try to use Raphael to draw a path in the default_popup page for my Chrome extension:

    r.path("M0,0L10,10");

    I get the following error:

    Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:".

    I understand the need to disallow eval() and things like that, but why is this "evaluating a string as JavaScript"? Is there any alternative way to generate the path without the path string besides setting an unsafe security policy that would also wind up allowing eval()?

    If I try to use Raphael to draw a path in the default_popup page for my Chrome extension:

    r.path("M0,0L10,10");

    I get the following error:

    Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:".

    I understand the need to disallow eval() and things like that, but why is this "evaluating a string as JavaScript"? Is there any alternative way to generate the path without the path string besides setting an unsafe security policy that would also wind up allowing eval()?

    • javascript
    • google-chrome-extension
    • svg
    • raphael
    Share Improve this question edited Feb 13, 2013 at 17:25 NChase asked Feb 13, 2013 at 14:15 NChaseNChase 1,6484 gold badges22 silver badges25 bronze badges
    Add a comment  | 

    3 Answers 3

    Reset to default 17

    In order to use eval() in your extension add the following line in your manifest.json (I assume that you're using manifest v2)

    "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"

    As you might guess the directive 'unsafe-eval' does the trick.

    Sergii's solution is working. However, it's not recommended to do this, since it makes your extension vulnerable to XSS attacks.

    You should use sandboxing instead: http://developer.chrome.com/apps/sandboxingEval.html

    If you check this simple example.

    function (params, callback) {
    setTimeout(function () {
        callback(true)
    }, 1000); // CSP
};

    The above code does violate CSP, because I am executing the callback function in the setTimeout() definition, setTimeout() receives the result of callback(true) instead of the callback itself. That would then require an eval and thus triggering the Chrome security policy.

    In similar lines i tried looking at source code of Raphel path, but i am not in a good direction, i assume some where this sort of code must have been involved.

    In chrome extensions, there is no way to surpass Eval CSP, i suggest to use another workaround or use pure SVG methods.

    继续浏览有关 的文章

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论