(Firefox) Handlebars no longer work (call to Function() blocked by CSP)

[Aquafina-water-bottle]

Description
Handlebars no longer work, and spits out a call to Function() blocked by CSP error on every marker. Doesn't happen on Chrome. I'm guessing this function is called in the Handlebars source code somewhere, and this is some basic permissions issue with Manifest v3.

To reproduce:

• Install the latest version of the extension
• Install your favorite dictionary
• Enable advanced options
• Head over to Configure Anki card templates… and test any marker.

Browser version
112.0b8 (64-bit)

Yomitan version
23.4.7.0 (master branch at the same date)

[Aquafina-water-bottle]

TODO a bit of research, the conclusion that I came across is that Function and related things that can evaluate arbitrary code is no longer supported by Manifest v3, so this is unfortunately expected behavior.

You can no longer execute external logic using executeScript(), eval(), and new Function(). ¹

The reason why handlebars still works on Chrome is because Chrome has a specific manifest key sandbox, which allows running eval'd code safely (Firefox does not support this):

A sandboxed page is not subject to the Content Security Policy (CSP) used by the rest of the extension (it has its own separate CSP value). This means that, for example, it can use inline script and eval. ²

Potential Solutions

1. A potential alternative currently is some sort of user script (currently Firefox support only): https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/userScripts
   Note that it appears that Chrome will be supporting userscripts sometime in the near future as well: [Chrome] Switch to manifest v3 Tampermonkey/tampermonkey#644 (comment) (edit: userscripts can only be ran on page loads, and cannot be easily controlled / communicate to web extensions)

2. Another potential alternative is to somehow use WASM, since wasm-unsafe-eval also exists (which seems to allow usage of eval): https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_webassembly_execution (edit: read the MDN doc wrong)

3. Use a templating library (or really any other language) that doesn't require eval, and can interact with custom javascript helper functions. Possible candidates:

   • handlebars-like
     • https://github.com/janl/mustache.js
       • PROBLEM(S): Just like handlebars, mustache.js is against logic in the their templates. It is also not 100% compatible with Handlebars, so existing modified scripts going to break.
   • python
     • https://github.com/pyodide/pyodide
       • PROBLEM(S): Requires an internet connection or at least 50mb of data to be packaged with the extension (see here)
     • https://github.com/pyscript/pyscript
       • PROBLEM(S): Not production ready
     • https://github.com/RustPython/RustPython
       • PROBLEM(S): Not production ready
   • lisp:
     • https://github.com/ashinn/chibi-scheme
       • ADVANTAGE(S): It's standalone and extremely portable, as it's written in pure C.
       • DISADVANTAGES(S): It uses lisp, which is a difficult language for most people.
   • rhai
   • javascript:
     • https://github.com/NeilFraser/JS-Interpreter (we can also try to run the compiled handlebars using javascript interpreters! There are obvious performance issues and potential correctness issues, but it would maintain compatibility with existing scripts.)
       • PROBLEM(S): It uses lisp, which is a difficult language for most people.
     • https://github.com/Siubaak/sval
     • https://github.com/ambit-tsai/shadowrealm-api
   • lua:
     • https://github.com/ceifa/wasmoon
   • other:
     • https://github.com/dbohdan/embedded-scripting-languages
     • https://github.com/ninia/jep (Python interpreter in Java)

4. Pray that the rust handlebars library works with JS implemented helper functions one day (see: WebAssembly API for JavaScript sunng87/handlebars-rust#208)

5. Pray that Mozilla implements the sandbox manifest key one day

6. Push the work to an Anki add-on (i.e. export the entire JSON, and have an add-on hook on note add to generate the fields correctly)

7. Pray for eval-less handlebars: Support for eval-less template execution handlebars-lang/handlebars.js#1934

   • https://github.com/elastic/kibana/tree/main/packages/kbn-handlebars

Further Reading

• WebExtension manifest v3 (Firefox) FooSoft/yomichan#2156
• WebExtension manifest v3 FooSoft/yomichan#455

Current priority list

• @kbn/handlebars
  • WARNING: This is a temporary solution. It may be deprecated in the future, or merged directly into the handlebars repo itself. However, if it's plug and play, then my as well use it for now.
• rhai
  • Seems like a much more permanent and portable solution
• NeilFraser/JS-Interpreter + Handlebars
• ashinn/chibi-scheme
• NeilFraser/JS-Interpreter by itself

Footnotes

1. https://developer.chrome.com/docs/extensions/migrating/improve-security/#remove-execution-of-strings ↩

2. https://developer.chrome.com/docs/extensions/mv3/manifest/sandbox/ ↩

[Aquafina-water-bottle]

Got a version working with kbn/handlebars, will submit a PR on it soon (tm).