CSP issue on browser webextensions
eugenioemmolo opened this issue · comments
Error: 'Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' blob: filesystem:"'
Extensions restrictions: https://developer.chrome.com/extensions/contentSecurityPolicy#restrictions
Hi,
I would like to use the library on a browser webextension but due to CSP restrictions the following code causes the aforementioned error:
var isNode = new Function("return (typeof process !== 'undefined') && process.versions && process.versions.node");
https://github.com/rsmbl/Resemble.js/blob/master/resemble.js#L6
Would it be possible to replace the Function
constructor to solve the CSP issue?
After some research I found 3 ways to accomplish the same goal:
- Use the
globalThis
object to directly access the process object - Define a function that retrieves the
global
object (as defined here https://github.com/paulmillr/es6-shim/blob/master/es6-shim.js#L176 ) - Define a polyfill function as shown here https://mathiasbynens.be/notes/globalthis#robust-polyfill
Which one do you think I could implement to solve the issue and open the PR? Any further proposal will be highly appreciated.
Thank you in advance.
globalThis
seems like a sensible way forward. Worth noting that it will not work in IE11.