Update fragmentPath method to not use Function constructor (CSP 'unsafe-eval' issue)
jketcham opened this issue · comments
I'm testing out this module in a browser extension and get a CSP error because of the Function constructor used in the fragmentPath
method here (trips the 'unsafe-eval' source expression for the 'script-src' directive; more info). This prevents me from using the module as-is with my extension's CSP.
In my testing, I was able to just replace that Function constructor:
var getter = new Function("fragments", "return fragments." + path.replace(/\./g, FRAGMENT_SEPERATOR));
with this:
var obj = fragments[path.replace(/\./g, FRAGMENT_SEPERATOR)];
Without issue.
Is this a change that would be considered for the module? Or am I missing something that requires the current usage?
Thanks!