You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Evaluated JavaScript
The policy against eval() and its relatives like setTimeout(String), setInterval(String), and new Function(String) can be relaxed by adding 'unsafe-eval' to your policy:
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'" However, we strongly recommend against doing this. These functions are notorious XSS attack vectors.
Make-plural uses new Function because, well, that's what it does. As described in the very first sentence of the description, "Make-plural is a JavaScript module that translates Unicode CLDR pluralization rules to JavaScript functions." In order to generate said functions, we need to do exactly that.
If you're concerned about compiling the JS functions in your live code, you should consider using the pre-compiled pluralisation functions also provided by make-plural. In addition to the default UMD module, these are available as an ES6 module with:
import plurals from 'make-plural/es6/plurals'
plurals.en(3, true) === 'some'
Alternatively, if you need to use separately defined CLDR data, it would probably make sense for you to compile (and possibly filter) the corresponding functions in your own compile phase, rather than doing so at runtime.
The library uses a new Function construct, which violates the script-src CSP rule.
Please see: https://developer.chrome.com/extensions/contentSecurityPolicy#relaxing-eval
Maybe this helps to fix this issue: http://dfkaye.github.io/2014/03/14/javascript-eval-and-function-constructor/
The text was updated successfully, but these errors were encountered: