Mathjs: Javascript "Unsafe Eval" Chrome Webapps

Created on 25 Jan 2016  路  7Comments  路  Source: josdejong/mathjs

When attempting to use "math.js" in any chrome app the following appears:
"
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' blob: filesystem: chrome-extension-resource:".
"
The line(1715 ) it errors at is here(in non-compiled version):
" var factory = (new Function(refs.name, 'createError', body)); "
Any idea what it might take to get math.js to work in chrome webapps?

question
Source
picture newbsauce

Most helpful comment

@josdejong thanks, yeah I am creating an extension, not an app, so should be safe

using the following in manifest.json actually worked for me:

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"

picture ORESoftware on 1 Jan 2018
2 👍1

All 7 comments

Been doing abit more digging. Apparently the "new Function" can be a security vulnerability so chrome apps does not allow it. :(
https://developer.chrome.com/extensions/contentSecurityPolicy

newbsauce picture newbsauce on 25 Jan 2016

math.js deeply relies on evaluating JavaScript on the fly, this gives it it's flexibility of working with different data types and automatically converting them, and gives quite a performance boost for example for parsing and evaluating expressions.

On the page you mention there is a section Relaxing the default policy

Evaluated JavaScript
The policy against eval() and its relatives like setTimeout(String), setInterval(String), and new Function(String) can be relaxed by adding 'unsafe-eval' to your policy:

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"

However, we strongly recommend against doing this. These functions are notorious XSS attack vectors.

Did you give that a try?

josdejong picture josdejong on 25 Jan 2016
👍2

Many thanks for your reply. Yes, that was the first thing I tried though regretfully that only applies to extensions, not apps. Regretfully I am using chrome apps.

When you combine systems like node js or chrome apps that have access to your full file system + on the fly java-script parsing, apparently it can make for some nasty exploits which is why chrome atleast blocks it.

newbsauce picture newbsauce on 25 Jan 2016

I dont know about other people, but I can't get it to work Chrome Extensions, let alone Chrome Apps.

ORESoftware picture ORESoftware on 1 Jan 2018

I haven't tried that, so I'm not sure.

Just as a side note: Chrome Apps will become deprecated soon, so I guess it's better not spend effort in creating a new Chrome app.

josdejong picture josdejong on 1 Jan 2018
👍1

@josdejong thanks, yeah I am creating an extension, not an app, so should be safe

using the following in manifest.json actually worked for me:

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"

ORESoftware picture ORESoftware on 1 Jan 2018
2 👍1

Good to hear you have a working solution now! Looks like the solution I quoted earlier in this topic (https://github.com/josdejong/mathjs/issues/559#issuecomment-174647339) still works then after all.

josdejong picture josdejong on 2 Jan 2018
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

gnobre picture gnobre  路  4Comments
lwirtz picture lwirtz  路  3Comments
smith120bh picture smith120bh  路  4Comments
kyoncy picture kyoncy  路  4Comments
skgadi picture skgadi  路  4Comments