Handlebars.js: Chrome extension manifest v2 restricts use of eval

Created on 25 Feb 2013  路  5Comments  路  Source: handlebars-lang/handlebars.js

Handlebars will not work in Chrome extensions with manifest_version: 2 because of a new security policy that restricts the use of eval and eval-like syntax.

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:".
handlebars.js:1402
JavaScriptCompiler.createFunctionContext handlebars.js:1402
JavaScriptCompiler.compile handlebars.js:1320
compile handlebars.js:2105
(anonymous function) handlebars.js:2112
(anonymous function) panel.js:14 <--- my script called Handlebars.compile()

Most helpful comment

That basically defeats the whole point of using a CSP to prevent injection.

All 5 comments

This is inherit to the design of the framework. If you are running in an environment that you can not use dynamically generated javascript you will need to precompile your templates and include the generated output with your package.

This is troubling to me. Here's a quote from the Google page:

"We recognize, however, that a variety of libraries use eval() and eval-like constructs such as new Function() for performance optimization and ease of expression. Templating libraries are especially prone to this style of implementation. _While some (like Angular.js) support CSP out of the box,_ many popular frameworks haven't yet updated to a mechanism that is compatible with extensions' eval-less world. Removing support for that functionality has therefore proven more problematic than expected for developers."

So, some template systems can manage to be CSP-compliant, but not Handlebars? So, now that I've used Handlebars in my project, I'm stuck with 2 choices to get my app CSP-compliant:

1) Rip out Handlebars
2) Pre-compile all of my templates.

Given the dynamic nature of my templates, pre-compile isn't an option. So, now I have to rip out handlebars because this defect is closed.

Is it not possible to follow the CSP guide here?

"You can allow it by adding 'unsafe-eval' to your sources list"

That basically defeats the whole point of using a CSP to prevent injection.

FWIW, Cloudant (based on Apache CouchDB) recently changed their in-database script processing to also prevent eval() and new Function() https://console.bluemix.net/docs/services/Cloudant/release_info/deprecations.html#disabled-javascript-constructors

Precompiling templates into JS works for some scenarios, but not for all of them. It'd be great if there were other options, so that Handlebars.js could be used more places.

But...that might just be wishful thinking. :smiley: 馃挱

Was this page helpful?
0 / 5 - 0 ratings

Related issues

rizen picture rizen  路  6Comments

ShintaroOkuda picture ShintaroOkuda  路  7Comments

nknapp picture nknapp  路  3Comments

novwhisky picture novwhisky  路  4Comments

snimavat picture snimavat  路  5Comments