Chrome extension security: Code generation from strings disallowed

[g2010a]

Google will be disallowing eval and other 'dangerous' methods in extensions ( see https://code.google.com/chrome/extensions/contentSecurityPolicy.html ). This means that extensions relying on Miso are already breaking. Can Dataset be implemented in compliance with Google's requirements?

[g2010a]

... hm. It seems to be the dependency on lodash.js that triggers the alert. Installing the unminified package and replacing lodash with underscore works.

[alexgraul]

Thats...an unexpected issue. Will investigate.

[jdalton]

The issue you are seeing is because of lodash's use of _.template, which uses Function(...), to build methods optimized for the current environment. For Chrome extensions you can use the mobile build lodash mobile which has methods inlined, not compiled. That should avoid the issue.

For more info on builds check out http://lodash.com/#custom-builds.

[g2010a]

Thanks, I'll check out the lodash mobile build.

[jdalton]

Related to issue: lodash/issues/54.

[alexgraul]

I think the answer here is just to use the mobile build if you're doing an extension, I'm not sure there's much point us offering a separate build and we can't switch wholesale without breaking IE support. Another one for the wiki a la #170

[jdalton]

Cool, I aliased the lodash mobile build as lodash csp too.