Menu
If I try to use Raphael to draw a path in the default_popup page for my Chrome extension:
r.path("M0,0L10,10");
I get the following error:
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:".
I understand the need to disallow eval() and things like that, but why is this "evaluating a string as JavaScript"? Is there any alternative way to generate the path without the path string besides setting an unsafe security policy that would also wind up allowing eval()?
561
In order to use eval() in your extension add the following line in your manifest.json (I assume that you're using manifest v2)
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
As you might guess the directive 'unsafe-eval' does the trick.
189
Sergii's solution is working. However, it's not recommended to do this, since it makes your extension vulnerable to XSS attacks.
You should use sandboxing instead: http://developer.chrome.com/apps/sandboxingEval.html
44
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
