Chrome packaged app security policy

Question

I need create RSA signature in my Chrome packaged app written with Backbone.js. But when I use jsrsasign I get:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an 
allowed source of script in the following Content Security Policy directive: 
"default-src 'self' chrome-extension-resource:". Note that 'script-src' was 
not explicitly set, so 'default-src' is used as a fallback.

I tried to set up content_security_policy, but it's not working with packaged apps. So how to workaround this?

The code which causes problems is:

var sig = new KJUR.crypto.Signature({"alg": "SHA1withRSA", "prov": "cryptojs/jsrsa"});

And the lib is calling eval:

this.md = eval(KJUR.crypto.Util.CRYPTOJSMESSAGEDIGESTNAME[alg]).create();

Answer 1

At first sight, it seems that you can patch that line in the library with:

this.md = CryptoJS.algo[alg.toUpperCase()].create();