Secure execution in chrome extensions

[dkaigorodov]

The latest AngularJS 1.3 beta 19 uses eval. This is prohibited by default and not recommended by security reason in chrome extensions.

How to fix the issue without allowing evals? https://developer.chrome.com/extensions/contentSecurityPolicy#relaxing-eval

Error message:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:".

Stack trace:

angular.js:1011
csp angular.js:1011
(anonymous function) angular.js:23556

[caitp]

@IgorMinar it sounds like there are still issues with CSP auto-detection in the new beta

[kav2k]

As a comment, relevant Stack Overflow question.

[caitp]

Anyways, you should be able to force CSP mode (which will not use new Function(...) when parsing expressions), so as a workaround, include ng-csp on an element in your document

[dkaigorodov]

@caitp Using ng-csp fixes the issue. Thank you.

[caitp]

It fixes your app, but it doesn't fix the bug in angular, because we are technically supposed to be automatically detecting CSP mode =)

[IgorMinar]

there is no bug. we tried to autodetect csp by using it, but that threw an exception which we caught and switched into csp-safe mode. however the autodetection caused the warning to be logged in console. this warning should be ignored.

[IgorMinar]

the ngCsp docs already mention that this warning is expected. I don't think that we can do much better than that since there is no better way to autodetect csp mode.