jspm without inline scripts

[Chris K]

Hi,

Is it possible to use jspm without inline scripts?

I would like to write a chrome extension with jspm. The problem is, that chrome doesn't allow inline scripts.

So instead of:

<script>

  System.import('app/main');

</script>

i would like to use:

<script src="app/main"></script>

Chris

[Guy Bedford]

Sure, you can write a app.js with:

```
System.import('app/main');
```

--
You received this message because you are subscribed to the Google Groups "jspm" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jspm-io+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Chris K]

Great, that works.

Thank you very much.

[Guy Bedford]

Sure, do post back if there's anything that can be done to make writing extensions easier with jspm, as this isn't a workflow that has been optimized much.

[Chris K]

I just realised that it doesn't work as I expected.

The System.import within the app.js works perfectly, but not within the restricted environment of a chrome extension.

The problem is, that system.js tries to add a script tag to the name which gets restricted by the chrome extension.

Snippet of system.js

==================

    doEval = function(source) {

      if (!head)

        head = document.head || document.body || document.documentElement;

      var script = document.createElement('script');

      script.text = source;

      var onerror = window.onerror;

      var e;

      window.onerror = function(_e) {

        e = _e;

      }

      head.appendChild(script);  <<<<<<<<< chrome extensions doesn't allow appening a script tag to the dom

      head.removeChild(script);

      window.onerror = onerror;

      if (e)

        throw e;

    }

Error output

==================

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.

Solution (not)

==================

There is no way around the google chrome extension restriction. Since system.js needs to inject scripts into dom in order to load then async, i can't see a way to get this work. :-(

I could probably just add the single production ready file, which doesn't need to add more scripts to the dom. Or do you have an idea how I could still use the full power of jspm?

Thank you for your help.

Chris

[Guy Bedford]

There is a SystemJS CSP version at https://github.com/systemjs/systemjs/tree/master/dist.

This only works for wrapper-based module formats though like AMD and System.register and can't load CommonJS natively.

Alternatively it may be worth just using the bundle-sfx mode of jspm for your extension work.

[Jonathan Fishbein]

Is there a way to do this using jspm 17?  I used a bundle-sfx and published a chrome extension successfully with jspm 16 but not sure how to go about this with jspm 17?  Any thoughts? Thanks!