Use of `new Function` violates Chrome App CSP

[mendelk]

In this commit, this line was added:

customScheme: new Function('node', ''),

However, this violates the Chrome App contentSecurityPolicy:

You can’t use string-to-JavaScript methods like eval() and new Function().

Meaning, that the player won't work in Chrome Apps without workarounds (and Chrome Extensions as well, though it's a bit easier to work around in that case).

Is there any way this can be changed? Thanks! 😄

[joeyparrish]

This was added as a work-around for a compiler issue.

When we merge configuration changes from the app into the running config, we check types to make sure that everything is correctly-typed. For functions, this means checking the number of arguments.

We used to have this:

  customScheme: function(node) {},

But this only worked in uncompiled mode. The compiler would strip out unused arguments from the anonymous function, which caused the check on the number of arguments to fail.

We started using new Function('node', '') so the compiler would not "optimize" it. In reality, we don't need to convert a string to a function at all.

So yes, we can change this. I don't yet know what other work-around we should use, but we will investigate our options.

[mendelk]

Thanks @joeyparrish. I understand that Chrome Apps and Extensions are niche use cases, so any work you put into supporting these is greatly appreciated!

[joeyparrish]

No worries. We should be able to support this.