Menu
I would like to create a package app chrome extension to allow the user to write and execute javascript code (like a javascript console).
I would like to use the eval() function to execute the JS code.
The classic javascript eval function throws an error when it's called from a chrome extension:
Uncaught Error: Code generation from strings disallowed for this context
To use eval in a chrome extension people need to use a sandbox, but when I write the sandbox in the manifest I get this error:
There were warnings when trying to install this extension: 'sandbox' is not allowed for specified package type (theme, app, etc.).
UPDATE
According to this issue, sandboxes are not supported for package apps, so I have two questions:
Is there another method which I can use instead of eval()?
Is it possible to use eval without a sandbox? (I think probably not for security reasons?)
840
page.$$eval(selector, pageFunction[, ...args])This method runs Array. from(document. querySelectorAll(selector)) within the page and passes it as the first argument to pageFunction . If pageFunction returns a Promise, then page. $$eval would wait for the promise to resolve and return its value.
It is a possible security risk, it has a different scope of execution, and is quite inefficient, as it creates an entirely new scripting environment for the execution of the code. See here for some more info: eval. It is quite useful, though, and used with moderation can add a lot of good functionality.
Definition and Usage. The eval() method evaluates or executes an argument. If the argument is an expression, eval() evaluates the expression. If the argument is one or more JavaScript statements, eval() executes the statements.
The Eval function evaluates the string expression and returns its value. For example, Eval("1 + 1") returns 2. If you pass to the Eval function a string that contains the name of a function, the Eval function returns the return value of the function.
UPDATE:
Since at least January 2013, Chrome now permits the unsafe-eval Content Security Policy (CSP) directive, which allows eval execution outside of a sandbox:
The policy against
eval()and its relatives likesetTimeout(String),setInterval(String), andnew Function(String)can be relaxed by adding'unsafe-eval'to your policy
Add an appropriate CSP to you extension manifest, like:
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'" The bug you refer to is now marked fixed, and has been included since Chrome 22.
Prior to the introduction of 'unsafe-eval', there was no way to have the CSP of a manifest_version: 2 extension allow execution of arbitrary text as code. At the time, Google made it clear there was no way to remove this restriction (outside of sandboxing):
Inline JavaScript, as well as dangerous string-to-JavaScript methods like
eval, will not be executed... There is no mechanism for relaxing the restriction against executing inline JavaScript. In particular, setting a script policy that includesunsafe-inlinewill have no effect. This is intentional.
As mentioned above, this restriction can now be relaxed.
75
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
