fix: disable unsafe-eval in production

ineo6 · Mar 12, 2021 · 01ed739 · 01ed739
1 parent 59a3dae
commit 01ed739
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 17 deletions.
diff --git a/src/manifest/index.js b/src/manifest/index.js
@@ -4,6 +4,12 @@ const devMatches = ['https://github.com/*', 'https://gitlab.com/*', 'https://try
 
 const prodMatches = ['http://*/*', 'https://*/*'];
 
+let csp = "script-src 'self' https://ssl.google-analytics.com 'unsafe-eval'; object-src 'self'";
+
+if (process.env.NODE_ENV === 'production') {
+  csp = "script-src 'self' https://ssl.google-analytics.com; object-src 'self'";
+}
+
 const manifestInput = {
   manifest_version: 2,
   name: '__MSG_name__',
@@ -26,7 +32,7 @@ const manifestInput = {
 
   web_accessible_resources: ['*.woff2', '*.png', '*.gif', 'inject.js'],
 
-  content_security_policy: "script-src 'self' https://ssl.google-analytics.com 'unsafe-eval'; object-src 'self'",
+  content_security_policy: csp,
 
   '__chrome|firefox__author': 'neo',
   __opera__developer: {

diff --git a/views/inject.js b/views/inject.js
@@ -20,18 +20,6 @@ function executeHandle(type, handle) {
   }
 }
 
-// 通过postMessage调用content-script
-function invokeContentScript(code) {
-  window.postMessage(
-    {
-      cmd: 'invoke',
-      code: code,
-      from: gmPageId,
-    },
-    '*'
-  );
-}
-
 // 发送普通消息到content-script
 function sendMessageToContentScriptByPostMessage(data) {
   window.postMessage(
@@ -51,10 +39,7 @@ window.addEventListener(
       return;
     }
 
-    if (e.data && e.data.cmd === 'invoke') {
-      // eslint-disable-next-line no-eval
-      eval('(' + e.data.code + ')');
-    } else if (e.data && e.data.cmd === 'message') {
+    if (e.data && e.data.cmd === 'message') {
       const data = e.data.data;
 
       if (data.type && data.handle) {