Adding 'unsafe-eval' to existing chrome extension

Question

I have an existing chrome extension in Chrome store which is being used by many people. Now I added alasql which uses eval function because of which I had to enable unsafe-eval in content_security_policy. I wanted to know will this affect existing users somehow ?

Last time I added geolocation permission in permissions and it disabled the extension for existing users. Users had to manually enable it.

It may be possible to side-step `unsafe-eval` altogether. alaSQL mentions [`module.noParse`] (https://github.com/agershun/alasql/blob/d16eaf41d906ba4ecf28db399bc85c85e73f3904/README.md#modulenoparse) in the README. Also see [this](https://github.com/webpack-contrib/script-loader/issues/6#issuecomment-148436784) issue on webpack CSP(Content Security Policy). — rmharrison, Jul 13 '17 at 06:33
Changing manifest's CSP doesn't introduce new permissions so no warning should ensue. — wOxxOm, Jul 13 '17 at 08:33

score 1 · Answer 1 · answered Jul 13 '17 at 10:07

1

unsafe-eval does not result in user-visible warnings; as such, there will be no automated disabling of the extension upon update.

However, this is a big red flag for update review. It greatly increases likelihood that the new version will trigger manual review for your extension.

answered Jul 13 '17 at 10:07

Xan

74,770
16
179
206

can you please suggest what can I do to this, while using alasql. – Sanyam Jain Jul 13 '17 at 10:41

Adding 'unsafe-eval' to existing chrome extension

1 Answers1