Question
When google javascript client library is used in chrome extension, 'unsafe-eval' permission is required when response type is id_token. Is there any way to avoid this?
Solution
last time I checked the JSAPI client library wasn't supported in Chrome Extensions. Even if it is, I would strongly suggest you avoid using it.
It's easier and safer to use the built-in chrome.identity API to handle the oauth and then roll your own Google API calls.
OTHER TIPS
Using eval() function in a Chrome Extension requires 'unsafe-eval' permission to be declared in the manifest.json, regardless the presence of the Goole Javascript Client Library inside that extension.
Evaluated JavaScript. The policy against eval() and its relatives like setTimeout(String), setInterval(String), and new Function(String) can be relaxed by adding 'unsafe-eval' to your policy:
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
However, we strongly recommend against doing this. These functions are notorious XSS attack vectors.
See the official Google Documentation for more information about Content Security Policy.
https://stackoverflow.com/questions/20368891
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian