1

I'm trying to get realtime data model with gapi.drive.realtime.load method in my Chrome Packaged App :

gapi.drive.realtime.load(fileId, onLoad)

but I'm caught an EvalError:

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' apis.google.com drive.google.com".

Of courcse, I can just add 'unsafe-eval' to manifest, but I guess it is bad way to solve this problem. Can you suggest better solution ?

Community
  • 1
  • 1
eden_lane
  • 108
  • 1
  • 11

1 Answers1

2

A packaged app can't have a less restrictive CSP than the default, so your proposed change to the manifest wouldn't have worked. Instead, create a sandboxed iframe that allows eval(), then message back and forth between the iframe and your app. This is a good example with links to further documentation.

sowbug
  • 4,644
  • 22
  • 29
  • I've changed "content_security_policy" (like this : [dev.chrome](https://developer.chrome.com/extensions/contentSecurityPolicy.html#relaxing-eval)) and it's solved the problem. But I think it's a hack, like using sandboxed iframe. Thank you for your example anyway. Looks like realtime api can't be used in packaged apps without any hacks. – eden_lane Jul 15 '13 at 09:37
  • @edencore It didn't work for me, I got "content_security_policy' is only allowed for extensions and legacy packaged apps, but this is a packaged app." when I added "content_security_policy" for my packaged app, I think Google has disallowed it now. – Imskull May 13 '14 at 13:20