CSP unsafe-eval error

[jamesspencer]

The use of new Function() and eval() prevents us from using angular-data due to Content Security Policy violations: https://developer.chrome.com/extensions/contentSecurityPolicy

Can/will this be changed?

Thanks!

[jmdobry]

If I understand correctly, eval does not work in a particular environment, and therefore angular-data does not work, correct? If I add some fallback code to angular-data that will run if eval isn't available will that work for you?

[jmdobry]

@jamesspencer Will 2487771 work?

[jamesspencer]

@jmdobry that's correct and the try/catch block does make things work for us, thanks!

However, the app still generates an error (logged to the console) when eval and derivatives such as new Function() are executed but this is caught and the workaround kicks in.

It might be worth adding an explicit setting (csp: true/false) that doesn't try to run eval or new Function so this error is never generated. Angular includes the ng-csp directive that is used to signify whether CSP is active for the site, I wonder if that could be hooked into.

[jmdobry]

I'll add an option.

[jamesspencer]

Excellent!

FWIW the following are the LOC known to trigger the error:

• https://github.com/jmdobry/angular-data/blob/2487771f4e9b2d8a7e922520b6d5a62c71bc73fa/dist/angular-data.js#L91
• https://github.com/jmdobry/angular-data/blob/2487771f4e9b2d8a7e922520b6d5a62c71bc73fa/dist/angular-data.js#L371
• https://github.com/jmdobry/angular-data/blob/2487771f4e9b2d8a7e922520b6d5a62c71bc73fa/dist/angular-data.js#L385
• https://github.com/jmdobry/angular-data/blob/2487771f4e9b2d8a7e922520b6d5a62c71bc73fa/dist/angular-data.js#L5657
• https://github.com/jmdobry/angular-data/blob/2487771f4e9b2d8a7e922520b6d5a62c71bc73fa/dist/angular-data.js#L5658

[jmdobry]

Hmm, I didn't realize observe-js used eval. I'll have to figure that one out.

The last two errors will be easily hidden by the option.

[jamesspencer]

Looks like a fix is in the works for observe-js googlearchive/observe-js#69

[jmdobry]

js-data and js-data-angular (angular-data 2.0) have been updated to observe-js 0.5.4, so I believe this issue is fixed with js-data v1.0.0 + js-data-angular v2.0.0

[jamesspencer]

Success!

Thanks :)