-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chrome Packaged App: Refused to evaluate a string as JavaScript because 'unsafe-eval' .... #252
Comments
This seems like a Chrome bug. This is the minified repro case: try {
new Function('foo')
} catch (e) {
// do something else
} Even inside of a try/catch, that message will be printed. |
Will it disappear when a native support for HTML import will be available in Chrome? |
No, this problem has nothing to do with HTML Imports. The data-binding code checks for functioning 'eval', because it can be used to optimize certain operations. |
Maybe you could detect that you're in a chrome packaged app environment and avoid calling eval.
|
Just for information, we found today that Polymer/Dart uses a Polyfill for HTML imports that works in a Chrome Apps. |
yeah, that's fascinating. Polymer.dart uses the HTML Imports polyfill from https://github.com/Polymer/HTMLImports, should be at a fairly recent version. I think the only difference is we build a concatenated "debug" as well as a minified version. Also the Dart coding style typically has the Dart code in an external file, like @dinhviethoa are you using Dartium? |
I'm trying to get it to work using dart2js in standard Chrome (that's what our product targets for now). |
ah, gotcha. Makes sense. When compiling to dart2js we concat the HTML and Dart, similar to Polymer's Vulcanizer tool. |
I'm clarifying here:
|
Hmm. I wonder if Dartium is ignoring CSP for .dart files. :) |
Thoughts HTMLImports is JS and the file to import is referenced using HTML |
Yeah, our HTML imports is pure JavaScript: https://github.com/dart-lang/bleeding_edge/tree/master/dart/pkg/html_import/lib But there's two parts to HTML Imports:
The second part should run afoul of CSP, based on my (admittedly limited) understanding of CSP. |
@jmesserly has this changed within the last 3 months? Do you still expect polymer dart to run afoul of CSP for both dartium and dart2js? |
Yes. Dartium has native (implemented in C++) HTML Imports support now. We don't generate Dart code on the fly AFAIK. |
@jmesserly fwiw, @devoncarew has pointed out a few tricks for getting polymer working with Dartium an dart2js for Chrome Packaged Apps. Should probably file a bug and have these following features natively supported from polymers build/transformation system.
The reason I'm mention this is with the Mobile Chrome Packaged apps the use of eval was allowed and something down the polymer build chain must of been calling it at runtime. I would consider it a bug that Mobile Chrome Packaged apps allows eval. So when taking that same Polymer application to the Desktop Chrome Packaged apps the application will blow up. I have not tried the suggestions that @devoncarew pointed out, but will eventually focus on building a sample that works on Mobile and Desktop that follows the build steps above. Please forgive if this is not the place to discuss this oddity. |
they should be approx equivalent (other than polymer deploy being much faster at the moment). Any idea what the issue is? we should file an issue at http://dartbug.com
a lot of that script looks like Spark specific release process stuff. I don't think Polymer.dart's build tools will ever be doing git operations for you :). To be honest, I don't understand why that script is doing most of the things it is doing. Workarounds for issues perhaps, but it isn't clear what they were.
any more info about this? what does this custom bootstrap script do? |
I've got a same error with my Chrome App.
I'm using Chrome 36.0.1941.2(Enabled experimental Web Platform features), Polymer 0.2.3 and I made imports.html via |
I think this commit fixes this issue: |
That code included in 0.2.3 but
|
Oh. Sure that's an issue. It should be fixed. |
Is this fixed? :) |
Should be fixed. |
👍 |
Seems this problem come back again. Chromium 36.0.1985.67 (Developer Build 277752) dependencies:
browser: any
chrome: any
logging: any
paper_elements: any
polymer: any Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback. <!DOCTYPE html>
<html>
<head>
<title>PRM</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0">
<meta name="mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-capable" content="yes">
<!--
<link rel="stylesheet" href="styles.css">
-->
<script src="packages/web_components/platform.js"></script>
<script src="packages/web_components/dart_support.js"></script>
<link rel="import" href="packages/paper_elements/paper_button.html">
<link rel="import" href="packages/core_elements/core_drawer_panel.html">
<style>
body {
font-family: sans-serif;
color: #FFF;
height: 100%;
}
[drawer] {
background-color: #B99588;
border-right: 1px solid #ccc;
}
[main] {
height: 100%;
background-color: #4F7DC9;
}
button {
width: 160px;
height: 40px;
font-size: 16px;
margin: 8px;
}
core-drawer-panel[narrow] button {
display: inline-block
}
</style>
</head>
<body unresovled fullbleed>
<core-drawer-panel>
<div drawer>
Drawer Panel
<paper-button label='OK'>OK</paper-button>
</div>
<div main>
Main Panel
<button>toggle drawer</button>
</div>
</core-drawer-panel>
<script type="application/dart" src="main.dart"></script>
<script src="packages/browser/dart.js"></script>
</body>
</html> Anybody has the same problem? |
I am still getting these warnings when I use dart2js within a cordova chrome app.
The ticket notes that the problem was fixed in 0.2.3, but the polymer.js included with polymer.dart appears to still be at 0.2.0. |
I'm getting this error when using polymer in a background script, and I've run the 'refactor for csp' on the bower_components directory from within the Chrome Dev Editor, so that should have fixed it. Oh, and also : polymer.concat.js:4170 |
I'm getting this same error from this line in polymer.concat.js (4170) |
I'm hitting this error using Polymer 0.4.2 via Bower (minified). Looks like it begins at
|
I'm also having the same problem. Is it possible to reopen this ticket or are we to open a new one? |
When including polymer.min.js in a Chrome Packaged App, I have the following error message in the console:
Even though it's expected and for "detection" purpose, it can be confusing for the developer using Polymer.
The text was updated successfully, but these errors were encountered: