Remove use of unsafe-eval

[lidel]

We allowed unsafe-eval in browser extension because browserified bundle ipfs-api.min.js relies on eval. Unfortunately Mozilla does not accept extensions with unsafe-eval:

The use of 'unsafe-eval' is not allowed in the manifest.json's CSP as it can cause major security issues. [feedback from review]

[..] extensions with 'unsafe-eval', 'unsafe-inline', remote script, or remote sources in their CSP are not allowed for extensions listed on addons.mozilla.org due to major security issues. [MDN]

We need to address it somehow.

Any ideas @ipfs/javascript-team?
Is it possible to create own bundle without eval?
We can start using webpack if needed.

[styfle]

Can you link to the code that is doing the eval? And what is it evaluating?

[daviddias]

searching for eval on the min file reveals that is something that Webpack injects as part of its bundling:

Which gets in because of the script loader webpack/webpack#4899

Investigating how to disable it (it's not actually present in our config file https://github.com/ipfs/aegir/blob/master/config/webpack.js)

[yfdyh000]

https://github.com/substack/vm-browserify/blob/bfd7c5f59edec856dc7efe0b77a4f6b2fa20f226/example/run/bundle.js#L430

[lidel]

FYSA we need to resolve this two-three weeks before Firefox 57 is released, otherwise users will be left dry without working browser extension :(

[daviddias]

I believe we used the script-loader in the past due to our usage of node-forge which we don't use anymore.

@dignifiedquire sounds like the removal of script-loader can be one of the features for aegir@next? What do you say?

[dignifiedquire]

I do not think the issue is the script-loader, I searched through all deps and it does not get installed and still eval is present in the built file.

[dignifiedquire]

I believe I found the offender. The shim for vm relies on eval, and it seems this is used in the dependency asn1.

[dignifiedquire]

Here: https://github.com/indutny/asn1.js/blob/master/lib/asn1/api.js#L21 to be exact

[daviddias]

Need to think more about this, but I'm guessing that we can get rid of this https://github.com/substack/vm-browserify/blob/master/index.js#L105