0

I am unit testing my chrome extension with mocha, chai, and sinon. When I try to stub an object from method I get:

EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:".

at createProxy (js/lib/sinon.js:2488:86)
at Function.create (js/lib/sinon.js:2549:29)
at Function.create (js/lib/sinon.js:3337:42)
at Object.stub (js/lib/sinon.js:3289:32)
at Context.<anonymous> (js/spec/sf-companion.spec.js:44:19)
at Test.Runnable.run (js/lib/mocha.js:4529:15)
at Runner.runTest (js/lib/mocha.js:4974:10)
at js/lib/mocha.js:5057:12
at next (js/lib/mocha.js:4899:14)
at js/lib/mocha.js:4909:7

test-runner.html:

http://pastebin.com/ij5kD2rY

Any help would be appreciated. Thanks in advance.

Tom Burris
  • 380
  • 2
  • 19
pvnarula
  • 2,771
  • 18
  • 22
  • `chrome-extension://hjkmpahjllmdacbcennobnfcagfdaife/test/test-runner.html` is a local link to a file on your PC. – Tom Burris Jun 08 '16 at 08:40
  • @TomBurris yes, it is. How I can allow this URL? If I package this, I'll have the same url with different extension ID. – pvnarula Jun 08 '16 at 08:43
  • I'd recommend copying the contents of `test-runner.html` and uploading it to http://www.pastebin.com or a similar site, then sharing that link on here. – Tom Burris Jun 08 '16 at 08:46
  • @TomBurris Here is the url http://pastebin.com/ij5kD2rY. – pvnarula Jun 08 '16 at 08:50

2 Answers2

1

To prevent cross site scripting Google has blocked the eval function.

To solve this add this code to the manifest.json

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"

by: abhilash

can be found here

Community
  • 1
  • 1
Tom Burris
  • 380
  • 2
  • 19
  • But that is if are running extension. But I am unit testing it's resources using the chrome-extension: url and extension resources. How to allow CSP for chrome-extension: url's? – pvnarula Jun 08 '16 at 22:33
1

In using eval in Chrome extensions, safely, the following policy restriction was given:

script must be moved out-of-line into separate JavaScript files, inline event handlers must be converted to use addEventListener, and eval() is disabled.

Also noted in the documentation,

eval is dangerous inside an extension because the code it executes has access to everything in the extension's high-permission environment.

But, since a variety of libraries use eval() and eval-like constructs such as new Function() for performance optimization and ease of expression, sandboxing was introduced as a safe mechanism to include these libraries in your projects without compromising on security.

So, in creating and using a sandbox, list files in manifest. Each file that ought to be run inside a sandbox must be listed in the extension manifest by adding a sandbox property, which looks like this:

{
  ...,
  "sandbox": {
     "pages": ["sandbox.html"]
  },
  ...
}

You may go through the given documentation for samples and to understand fully about sandbox.

Additionally, this thread in GitHub - unsafe-eval security error in chrome extension might also help wherein it was mentioned that this was already a fixed issue.

Teyam
  • 7,686
  • 3
  • 15
  • 22