pixiebrix-extension icon indicating copy to clipboard operation
pixiebrix-extension copied to clipboard
verified publisher icon pixiebrix

Remove 'unsafe-eval' from CSP

Open fregante opened this issue 3 years ago • 0 comments

'unsafe-eval' is not allowed in MV3’s manifest:

Screen Shot

Dropping it resurfaces:

  • https://github.com/pixiebrix/pixiebrix-extension/issues/2946
Screen Shot

Tasks

  • [ ] Revert https://github.com/pixiebrix/pixiebrix-extension/pull/3019

Our options

  1. Get RJSF to add support for an eval-less validation library (either by asking nicely or by submitting as PR). We use: npmjs.com/package/@cfworker/json-schema. (I had actually looked at AJV previously but didn't use it because of eval)
  2. Move schema validation to the Chrome sandbox: Move template engine and brick evaluation to Chrome sandbox #105. This also would probably require modifying RJSF to support a custom validation function. This approach is nice because it also makes sense to move Nunjucks and JQ over there
  3. Modify AJV to not require Function

fregante avatar Sep 30 '22 09:09 fregante