chrome packaged app doesn't allows unsafe-eval in knockout.js

Question

I've developed an web app and uploaded it on my Google chrome apps as unpacked extension. During the execution I receive the following error:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback. [knockout-3.0.0-min.js:54]

adding "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'" to the manifest.json results in a message:

'content_security_policy' is only allowed for extensions and legacy packaged apps, but this is a packaged app.

does it mean that I can not use knockous.js for developing apps for chrome app store?

How to fix this problem?

Answer 1

solve the problem using knockout secure binding.

Knockout.js secure binding

Answer 2

knockout doesn't use eval but it does use new Function() expression for performance optimization in templating.

To get around this issue you will have to Sandbox the components that use this type of string to code conversion.

Here is a section from chrome app documentation regarding eval sandboxing:

We recognize, however, that a variety of libraries use eval() and eval-like constructs such as new Function() for performance optimization and ease of expression. Templating libraries are especially prone to this style of implementation. While some (like Angular.js) support CSP out of the box, many popular frameworks haven't yet updated to a mechanism that is compatible with extensions' eval-less world. Removing support for that functionality has therefore proven more problematic than expected for developers.

Article link

And of course like always you can trust what RP Niemeyer recommends.