Polymer in JS Packaged Chrome Apps: will they be possible without Vulcanizer?

[claudio.m...@gmail.com]

Hello all. I'm about to decide whether to use Polymer in a Chrome Packaged Application in the near future. Since the project will be quite big (it's a rewriting of a software currently written in Java and NetBeans Platform), I'm quite worried about using Vulcanizer as my main file will grow up a lot. So, I was wondering: is there any plan on bringing Polymer on Chrome Packaged Apps natively? I tried running a test app in Chrome Dev Editor and Chrome 36 Beta, but I still get CSP-related errors, so I guess that HTML imports and Observe-js becoming native are not the only missing pieces...Can someone give me a clue?

[Eric Bidelman]

Can you elaborate on the CSP errors?

BTW, if you're worried about a single JS file becoming too big, develop your components by referencing an external js file. 

<polymer-element name="my-element">

...

  <script src="path/to/my-element.js"></script>

</polymer-element>

See http://www.polymer-project.org/docs/polymer/polymer.html#altregistration.

On Wed, Jul 9, 2014 at 10:13 AM, <claudio.m...@gmail.com> wrote:

Hello all. I'm about to decide whether to use Polymer in a Chrome Packaged Application in the near future. Since the project will be quite big (it's a rewriting of a software currently written in Java and NetBeans Platform), I'm quite worried about using Vulcanizer as my main file will grow up a lot. So, I was wondering: is there any plan on bringing Polymer on Chrome Packaged Apps natively? I tried running a test app in Chrome Dev Editor and Chrome 36 Beta, but I still get CSP-related errors, so I guess that HTML imports and Observe-js becoming native are not the only missing pieces...Can someone give me a clue?

Follow Polymer on Google+: plus.google.com/107187849809354688692
---
You received this message because you are subscribed to the Google Groups "Polymer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to polymer-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/polymer-dev/2dd04aeb-0d00-404c-af63-e8f38b3d42d8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[claudio.m...@gmail.com]

Sure. This is the test code:

<!DOCTYPE html>

<html>

<head>

  <title>PolymerApp</title>

  <!-- 1. Load platform.js for polyfill support. -->

    <script src="bower_components/platform/platform.js"></script>

    <!-- 2. Use an HTML Import to bring in the element. -->

    <link rel="import"

          href="bower_components/paper-button/paper-button.html" />

  <link rel="stylesheet" href="styles.css">

</head>

<body>

  <h1 id="greeting"></h1>

  <paper-button label="flat button"></paper-button>

  <paper-button label="raised button" raisedButton></paper-button>

  <script src="main.js"></script>

</body>

</html>

and here are the errors:

1. Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback. observe.js:794
1. (anonymous function)observe.js:794
2. (anonymous function)observe.js:797
3. (anonymous function)observe.js:1716

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback. core-meta.html:61

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback. core-iconset.html:65

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback. core-icon.html:43

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback. paper-focusable.html:34

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback. paper-ripple.html:88

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback. paper-shadow.html:64

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback. paper-button.html:84

However thanks for the suggestion about the external scripts. It will help for sure.

[Eric Bidelman]

Ah. Since those errors are coming form individual element files, it looks like you haven't vulcanized the app. Unfortunately, right now, running vulcanize is our recommended way to get around CSP issues. 

To view this discussion on the web visit https://groups.google.com/d/msgid/polymer-dev/1c1f2c64-6263-4544-a552-d60d2b389bb4%40googlegroups.com.

[claudio.m...@gmail.com]

Indeed, vulcanizing seems to be the only choice for now. 

So... back to the original question: I'll need to vulcanize even after Chrome 36, won't I?

[Eric Bidelman]

On Thu, Jul 10, 2014 at 5:25 PM, <claudio.m...@gmail.com> wrote:

Indeed, vulcanizing seems to be the only choice for now. 

So... back to the original question: I'll need to vulcanize even after Chrome 36, won't I?

Yes, if you're using inline <script> in your own elements or using any of the core-* or paper-* (which have inline <script>), you'll need to vulcanize for now. 

Note, this came up yesterday and I've been told that inline <script> from the same origin, in a CSP env like chrome apps *should work*. There's a chrome bug that needs to be filed.

To view this discussion on the web visit https://groups.google.com/d/msgid/polymer-dev/35910d74-120c-4bd5-8036-c7b268d4af47%40googlegroups.com.

[claudio.m...@gmail.com]

So I hope that this will work in the future. Given that the development of my project should last at least several months and with vulcanizer as an available workaround I'm quite optimistic. Thanks for the answers!

[Eric Bidelman]

Here's the mentioned Chromium ticket: https://code.google.com/p/chromium/issues/detail?id=393307

Thanks for filing Steve.

On Fri, Jul 11, 2014 at 1:25 AM, <claudio.m...@gmail.com> wrote:

So I hope that this will work in the future. Given that the development of my project should last at least several months and with vulcanizer as an available workaround I'm quite optimistic. Thanks for the answers!

Follow Polymer on Google+: plus.google.com/107187849809354688692
---
You received this message because you are subscribed to the Google Groups "Polymer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to polymer-dev...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/polymer-dev/c0db443f-94a3-4d47-86bb-7c0178035770%40googlegroups.com.

[code4cha...@gmail.com]

is there a way to do the vulcanize in chrome-os? i just got done using the designer to prototype out some stuff and my first link  landed me here.. if not, where would you recommend I post a request?  i'm going all in on the whole chromebook life and would love  to provide the feedback to those who want nothing more then more like me :)

[Eric Bidelman]

A couple of people have figured out how to run Node on Chrome OS:

https://coderwall.com/p/lonlyq

https://github.com/googlecreativelab/coder/wiki/Coder-on-a-Chromebook-with-Crouton

Note: it requires developer mode (which reformats the machine)

To view this discussion on the web visit https://groups.google.com/d/msgid/polymer-dev/d194140c-8b1e-4cdc-9429-5f1aad402c43%40googlegroups.com.