New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CSP-compliant mode (Content Security Policy) #87
Comments
Not sure what your setup is - but it should work. Here's an example: http://jsfiddle.net/yyx990803/Rjk3x/ |
Figured out the source of the problem. When I do
AngularJS added a |
I see. I think this probably will be implemented as an optional plugin, although I'm not sure if I have time for it any time soon. If you could edit the title to be CSP specific I can keep it open for further discussion. Thanks. |
For now, you should be able to enable unsafe-eval in your extension via manifest.json. If you don't have script-src present, it defaults to the original secure settings. Granted that enabling such a thing is not recommended, but it'll get you running until a solution is cemented. |
Chrome Apps are not allowed to relax the CSP. From Google's docs:
|
@feross Cripes, I thought he was doing an extension. Good shout. |
One option seems to be to avoid using anything but the simplest expressions which can be parsed, it seems, without the use of |
I think CSP support will take quite some time to land. In the meanwhile if you really want to use Vue in a Chrome app, could a sandboxed architecture work for you? i.e. running a Vue interface in the front and communicate with it via message passing: http://developer.chrome.com/apps/app_external.html#sandboxing |
The sandbox approach could work, but I'm not keen on adding that additional complexity (i.e. turning all sync function calls / property accesses into async ones). It's unfortunate that chrome apps are so restrictive and don't allow loosening the CSP. In the meantime, I'm going to just use EventEmitter and hook the events to the DOM manually for webtorrent. I don't think it will be too bad, though when CSP support lands I'll take another look at using vue.js. Thanks! |
Pre-compiling would be another way to approach this. See: |
good find feross! |
@feross unfortunately, |
Closing for now because implementing a CSP-compliant expression parser would significantly bloat the code base for a marginal use case. On hindsight, it is possible to avoid using expressions all together by using only computed properties... |
This is a significant blocker for us using vue.js in a privileged environment on FirefoxOS apps – we have a sandbox workaround, but still really sucks :( Personally I'd love to see CSP-compliance implemented here, I am guessing this will be a blocker on more and more projects |
@k88hudson I had the same use-case. You can package Vue manually with a JavaScript parser and all that's needed is modifying a couple places Vue uses string-to-function conversion. It's not the prettiest implementation, but you can check it out here: cecchi@d1caa52 |
@cecchi thanks, awesome! @yyx990803 any chance you'd consider merging an implementation using |
@k88hudson it will most likely be a separate build, since a CSP compliant interpreter can add some bulky code which is not needed in other situations. But yeah, that's definitely on the roadmap, I've just been waiting to finish the 0.11 refactor first. |
I meet this same problem in Vue@2.x. I solved it just add the page to
|
Thanks to @luxp . This way does not work for me:
But your way dit work for me, saving my time! Thanks a lot.
|
I might be missing something obvious here, and if so, I apologize in advance.
I expected this to work:
But it didn't. Is there a good reason for this?
The text was updated successfully, but these errors were encountered: