eval() re-allowed in manifest v2

[Aaron Boodman]

Hello extension developers,

In response to a lot of feedback about manifest v2, we've decided to
make it possible for developers to opt-in to eval() support in
manifest v2 by adding the 'unsafe-eval' token to their CSP. For the
latest information, please see:
http://developer.chrome.com/trunk/extensions/contentSecurityPolicy.html#relaxing-eval.

You should only add 'unsafe-eval' to your CSP if you actually need to
use eval(). Otherwise, please leave the CSP in its default setting.

The rest of the changes to manifest v2, including the policies against
inline script and embedding remote script from insecure origins,
remain in place.

We apologize to those of you who already went to some effort to remove
eval(). On the upside, using eval() within an extension is a pretty
dangerous thing to do, and your extension is probably more secure with
it gone.

Thanks,

- Aaron on behalf of the Chrome Extensions Team.

[Scott Fujan]

On what version is this going live?

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To post to this group, send email to chromium-...@chromium.org.
To unsubscribe from this group, send email to chromium-extens...@chromium.org.
For more options, visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/?hl=en.

[Aaron Boodman]

Chrome 23.

[John J Barton]

I tried
Version 23.0.1264.0 (156019)
with
"content_security_policy": "script-src 'self' 'unsafe-eval'"
and with
"content_security_policy": "script-src 'self'"
but they both fail with an error message while reading the manifest.json:

Could not load extension from '/work/sirius/extension'. Invalid value
for 'content_security_policy': The 'script-src' and 'object-src'
directives can only whitelist secure resources. You may include any of
the following sources: "'self'", "http://127.0.0.1",
"http://localhost", or any "https://" or "chrome-extension://" origin.
For more information, see
http://developer.chrome.com/extensions/contentSecurityPolicy.html

(Note that reverting to manifest version 1 does not seem to be an option).

jjb

[John J Barton]

On the other hand,

"content_security_policy": "default-src 'none'; style-src 'self';
script-src 'self' 'unsafe-eval'",

does work. That's good because now I understand how to work with
content_security_policy:
don't read the docs, just find an example that works, modify it one
bit at a time, and iterate.

jjb

[Aaron Boodman]

I'm not sure what the difference between these two is, but I'll look into it.

- a

On Wed, Sep 12, 2012 at 2:40 PM, John J Barton

[Mike West]

The difference between the two is that the former doesn't specify a value for 'object-src'. We require that both 'script-src' and 'object-src' be locked down to secure values: `script-src 'self' 'unsafe-eval'` addresses 'script-src', but leaves 'object-src' open.

I'll tweak the error message to make that more clear: http://crbug.com/148919

-mike

>>>>> chromium-extensions+unsub...@chromium.org.

>>>>> For more options, visit this group at
>>>>> http://groups.google.com/a/chromium.org/group/chromium-extensions/?hl=en.
>>>>>
>>>>
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
>>> To post to this group, send email to chromium-...@chromium.org.

>>> To unsubscribe from this group, send email to chromium-extensions+unsub...@chromium.org.

[John J Barton]

Hi Mike,

Sorry I forgot to mention in my post: the line I tried was copied out
of the documentation that Aaron posted:
http://developer.chrome.com/trunk/extensions/contentSecurityPolicy.html#relaxing-eval
So that line needs to be fixed too.

jjb

>> >>>>> chromium-extens...@chromium.org.

>> >>>>> For more options, visit this group at
>> >>>>>
>> >>>>> http://groups.google.com/a/chromium.org/group/chromium-extensions/?hl=en.
>> >>>>>
>> >>>>
>> >>>
>> >>> --
>> >>> You received this message because you are subscribed to the Google
>> >>> Groups "Chromium-extensions" group.
>> >>> To post to this group, send email to chromium-...@chromium.org.
>> >>> To unsubscribe from this group, send email to

>> >>> chromium-extens...@chromium.org.

>> >>> For more options, visit this group at
>> >>> http://groups.google.com/a/chromium.org/group/chromium-extensions/?hl=en.
>> >>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Chromium-extensions" group.

> To view this discussion on the web visit
> https://groups.google.com/a/chromium.org/d/msg/chromium-extensions/-/P_Oj7kuxfh8J.

>
> To post to this group, send email to chromium-...@chromium.org.
> To unsubscribe from this group, send email to

> chromium-extens...@chromium.org.

[Mike West]

Yup, that looks like a typo. I'll fix it along with the other thing.

Thanks very much!

-mike

>> >>>>> chromium-extensions+unsub...@chromium.org.

>> >>>>> For more options, visit this group at
>> >>>>>
>> >>>>> http://groups.google.com/a/chromium.org/group/chromium-extensions/?hl=en.
>> >>>>>
>> >>>>
>> >>>
>> >>> --
>> >>> You received this message because you are subscribed to the Google
>> >>> Groups "Chromium-extensions" group.
>> >>> To post to this group, send email to chromium-...@chromium.org.
>> >>> To unsubscribe from this group, send email to

>> >>> chromium-extensions+unsub...@chromium.org.

>> >>> For more options, visit this group at
>> >>> http://groups.google.com/a/chromium.org/group/chromium-extensions/?hl=en.
>> >>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Chromium-extensions" group.
> To view this discussion on the web visit
> https://groups.google.com/a/chromium.org/d/msg/chromium-extensions/-/P_Oj7kuxfh8J.
>
> To post to this group, send email to chromium-...@chromium.org.
> To unsubscribe from this group, send email to

> chromium-extensions+unsub...@chromium.org.

[Mike West]

https://codereview.chromium.org/10905258/

If any other bits of the documentation catch your eye, let me know. We're honestly not trying to confuse you. :)

-mike

[Reivax]

Hi all,

Thanks for the great come back of the eval support, although I had started to refactor our 200k lines of code extension to get rid of it.

But I do have an issue with adding it in the CSP. 

I thought the CSP "default-src" directive was only meant for *script* loading ? 

Here is what I'm using:

"content_security_policy": "default-src 'self' 'unsafe-eval'"

And yet I get errors on Ajax requests posting and receiving XML from external servers. 

I might be able to solve the issue white-listing them (although there are tens of them), but is it what it is supposed to do ?

Did I miss anything ?

Thanks

[Mike West]

The `default-src` directive sets a default value for many directives: `script-src`, `object-src`, `style-src`, `img-src`, `media-src`, `frame-src`, `font-src`, and `connect-src`[1].

If you'd like to connect to a variety of hosts, you can either add `connect-src host1 host2 host3 ...` (or `connect-src *`) to your policy, or define only `script-src` and `object-src`. Something like `"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"` should work for you.

Also, if you've already started refactoring your extension, please feel more than free to continue! The less eval in the ecosystem, the better.

-mike

[1]: http://www.w3.org/TR/CSP/#default-src

[Reivax]

Thanks for this very accurate and helpful answer, it's working fine.

Our use of 'eval' should be safe since it's only used to evaluate code loaded from the extension itself.

I won't go into details much but it's just part of a "if needed" synchronous loaded and executed javascript package management library

allowing to load at runtime some JS code only if it's needed.

Xavier

On Friday, September 7, 2012 11:06:31 PM UTC+2, Aaron Boodman wrote:

[Godmar Back]

On Fri, Oct 26, 2012 at 4:39 PM, Gina Cook <gina....@gmail.com> wrote:

* AngularJS - library uses eval

Did you observe this with or without using ng-csp  ( https://github.com/angular/angular.js/wiki/Using-AngularJS-in-a-Chrome-Extension-environment )

 - Godmar

[Gina Cook]

You're right, Angular lets you turn eval on and off depending on if you want speed, or you want to run in a chrome extension, which is fantastic! I'm working through the Angular tutorial now. I suspect its the framework that we will choose. 

I updated the github repo this morning with the Angular example using ng-csp, but didn't want to bombard the list with updates right away. Each framework has an issue where I'm updating the future/current state of eval based on the framework's issue tracker. https://github.com/cesine/todomvc-for-chrome-extensions/issues?labels=&milestone=&page=1&state=closed

Here is my updated list as of Oct 27 2012

Works out of the ToDoMVC box!

• Agility.js
• Vanilla JS
• Batman.js
• AngularJS - if you add ng-csp to your html tag

Works if you change to precompiled templates

• Backbone.js
• Ember.js
• Knockback.js
• Spine.js
• jQuery example

Will not work without an eval workaround

• Dojo - no plan to remove evals
• KnockoutJS (MVVM) - no plan to remove evals

Needs a workaround from someone who knows the framework before it will work in a Chrome Extension

• GWT - inline-script : example creates a script tag on the fly
• Closure - example uses eval, but might not be neccesary
• YUILibrary - example is pulling from non-https server

[Duane O'Brien]

Thanks for posting this! I was on the verge of digging in to this myself. 

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To post to this group, send email to chromium-...@chromium.org.

To unsubscribe from this group, send email to chromium-extens...@chromium.org.