Template's 'new Function' blocked by CSP

[bruun]

The template rendering causes a CSP error, violating the unsafe-eval property: http://www.w3.org/TR/CSP/#script-src

render = new Function(settings.variable || 'obj', '_', source);

This was pointed out, and fixed, in Mustache a few months back: cweider/mustache.js@dac6470

[jdalton]

The use of the evaluate delimiter makes Function(...) use necessary without making the _.template function too complex. You can always precompile your templates or use Underscore sandboxed.

[jashkenas]

Let's tag 'em as we close 'em ;)

[evert]

Is there any chance at all this could be reconsidered. Some googling reveals a number of people running into this, and it would be brilliant if one of underscore.js's design goals is: runs perfectly in environments where CSP is deployed.

Note that this is not Chrome-specific, this will appear in any CSP-enabled browser.

[jashkenas]

Not without us implementing a JavaScript interpreter, I think.

[evert]

That is unfortunate! Thanks for answering though...

[jvoisin]

@jdalton Care to elaborate about how to "precompile your templates"?
I'd like to close this Tor project issue ASAP.
Thank you :)

[jdalton]

@jvoisin One option is to use lodash-cli. For support on that head over to their gitter chat.

lodash template="./*.jst" settings="{interpolate:/\{\{([sS]+?)\}\}/g}"