-
Notifications
You must be signed in to change notification settings - Fork 154
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
messageformat requires unsafe-eval in Content-Security-Policy #180
Comments
If you build your messages (say, as part of your webpack build), they get built into very small, fast functions that don’t violate |
I have a use case where the message strings are only available at runtime, not build-time, and I cannot change the CSP to allow eval. Is there any hope for a mechanism that will allow messageformat to work in that environment? |
it’s unlikely with our setup I think. The formatjs folks have their own
very similar version though `intl-messageformat` I’m pretty sure. That’ll
do what you’re looking for.
…On Sun, Mar 4, 2018 at 12:23 AM Simon Tesla ***@***.***> wrote:
I have a use case where the message strings are only available at runtime,
not build-time, and I cannot change the CSP to allow eval. Is there *any*
hope for a mechanism that will allow messageformat to work in that
environment?
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#180 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAF5KkodbBRj5qb5JcVa2oCxfGYxUI2Wks5ta6RpgaJpZM4P6xv_>
.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When using a CSP which does not allow unsafe-eval, the 'new Function' throws an EvalError, as per the spec.
However, messageformat uses this:
if (typeof messages != 'object') {
var fn = new Function(
'number, plural, select, fmt', Compiler.funcname(locale),
'return ' + obj);
var rt = this.runtime;
return fn(rt.number, rt.plural, rt.select, this.fmt, pf[locale]);
}
Is there another way to fix this.
The text was updated successfully, but these errors were encountered: