The latest release of redux-devtools-extension I can see on github is 2.15.0. The Chrome Web Store distribution states version 2.15.1 and was updated May 7, 2017. The Mozilla Add-ons distribution states version 2.13.1 and was updated February 6, 2017.
Would it be possible to update the Firefox add-ons distribution? Especially now that #343 has been merged.
It was published, but still waiting the review.
It was published, but still waiting the review.
We're looking into this, sorry for the delay.
Hey @clarkbw. Thanks for chiming in! It got rejected yesterday because there's an eval in the code. Strange that it was present from the beginning in the previous versions as well (but the validator wasn't checking it before). We'll try to address it in https://github.com/kolodny/jsan/issues/17.
Hi @zalmoxisus, sorry this was not noticed before. I'll take a closer look and make sure I didn't miss any issues. Sometimes eval is just part of webpack or similar tools and not actually harmful, but we are currently expediting reviews that don't have eval in the validator messages.
If you can see if everything is still working well with unsafe-* removed from the CSP then that may be sufficient. The eval webpack uses is in a try/catch, so it will gracefully continue.
@kewisch thanks for looking into it!
To clarify, I didn't mean to blame someone for not noticing that, it seems that this check (for eval) was added in the validator recently as for the previous versions there were no warnings.
Seems likestyle-src * 'unsafe-inline' is not necessary indeed. I'll check it thoroughly tomorrow and publish.
Great, looking forward! We did indeed make some linter changes that added eval checks recently. I just filed https://github.com/mozilla/addons-linter/issues/1300 to make sure the webpack eval is not flagged.
Turns out that eval wasn't added by webpack. It's from cycle.js, which is the dependency of socketcluster-client > sc-errors. I'll try to convince them to drop that dependency.
@kewisch we've got rid of eval from socketcluster-client, however there are calls of Function constructor in other parts. It shouldn't be a problem anyway as it's not allowed in the manifest. I removed also unsafe-inline and submitted 2.15.1 for review. Thanks for your help!
Awesome, thanks! I'll take a look at this soon, thanks for the quick turnaround
Thank you for your work, I've approved the new version.
Thanks a lot for your help on this!
@zalmoxisus there was an issue with the latest version as mentioned in https://github.com/zalmoxisus/redux-devtools-extension/issues/568#issuecomment-434712564
And I assume it was pulled down because of this. It's now back up with version 2.13.1 as of now.
I think this should be reopened or create a new one.