0

Im building a chrome app and I am trying to add a function inside an object inside chrome.storage.local but when im doing it it does not appear if you try to get it (all the other things appear but not the function)

But if you try to do it on a normal object like

let a = {
    b: function() {
        return 'This is working'
    }
};

then it works.

It wouldn't be a problem if I could just use eval but due to security on the chrome app it does not work.

What im trying to do is:

chrome.storage.local.set({
    'obj': [{
        example: 'hello',
        fn: function() {
            return 'This is not working'
        }
    }]
});

Then if you do

chrome.storage.local.get('obj', function(e) {
    console.log(e.obj)
});

Then it will return with

Array (length 1): example: "hello"

and not the function,

Thanks.

saulotoledo
  • 1,737
  • 3
  • 19
  • 36
frogDoraTheRollerskatingFedora
  • 93
  • 2
  • 11
  • if thats writing to localstorage, then code is not permitted. – Daniel A. White Jul 10 '19 at 13:54
  • 3
    No. The API basically stores what you would see if you do JSON.stringify() and functions are not JSON-ifiable. This is explicitly stated in the [documentation](https://developer.chrome.com/extensions/storage#method-StorageArea-set). – wOxxOm Jul 10 '19 at 13:55
  • Why would this even be useful? – junvar Jul 10 '19 at 13:57
  • Can this help you?: [Calling object methods within that object](https://stackoverflow.com/a/10918270/4208845) And: [chrome.storage.local.get and set \[duplicate\]](https://stackoverflow.com/a/13873275/4208845) – Thomas Cayne Jul 10 '19 at 14:00
  • You can save the function as string `fn.toString()` and eval the string after getting it back from localStorage – AvcS Jul 10 '19 at 14:04
  • Im building a system which will have programs with callbacks (junvar) – frogDoraTheRollerskatingFedora Jul 10 '19 at 14:07
  • As described above, chrome.storage.local does not support this. Can you elaborate on what "callbacks" your system wants to store? Where does this code come from? User generated? From the network? From elsewhere (but where)? Using the JavaScript engine to run code that is not part of your source code is almost always a mistake because it usually involves significant security risks. With more information we might be able to provide an alternative way to achieve what you're trying to do. – dharcourt Jul 11 '19 at 07:06

1 Answers1

-1

Store arguments and the body like this

{function:{arguments:"a,b,c",body:"return a*b+c;"}}

Retrieve it and instantiate the function:

let f = new Function(function.arguments, function.body);
Ethan Vu
  • 2,911
  • 9
  • 25
  • It returns an error: 'unsafe-eval' is there any way to add a permission or prevent this? – frogDoraTheRollerskatingFedora Jul 10 '19 at 14:04
  • I havent encouter with this error before, but i found this https://stackoverflow.com/questions/26242682/unsafe-eval-on-chrome-extension , hope it help you – Ethan Vu Jul 10 '19 at 14:20
  • This does not work without disabling a critical part of Chrome App's content security policy, which has significant security implications, so I think this answer is likely to cause more problems than it will solve and I would strongly discourage doing what it suggests. – dharcourt Jul 11 '19 at 07:14
  • Actually, the answer is not suggesting you to disable it and if as you said, i would like to read more about "significant security implications". It lead to an option, @javaveryhot asked about permission and like i said i havent encoutered this error before, and there another post which asking for a way to got rid of the error. – Ethan Vu Jul 11 '19 at 08:07
  • @EthanVu: The original question was about a Chrome App, and Chrome apps implement a "Content Security Policy" (CSP) that prevents your answer from working unless you disable a critical part of that content security policy, for example by using the `unsafe-eval` flag suggested in the answer to the StackOverflow question you link to... and I never said your answer suggested disabling part of Chrome's CSP, just that your answer wouldn't work without that disabling. – dharcourt Jul 16 '19 at 18:58
  • 1
    @EthanVu: There are many references on the internet about Content Security Policy (CSP), the security it provides, and the risks involved with disabling it, much of it worth reading. An introduction can be found at https://developers.google.com/web/fundamentals/security/csp/. Opinions vary about whether it's advisable to ever disable CSP, but in my experience it's never necessary, so I think it would be interesting to better understand what the original poster is trying to do to before suggesting something that requires partially disabling CSP. – dharcourt Jul 16 '19 at 19:08