拒绝将字符串评估为 JavaScript,因为不允许使用“unsafe-eval”
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/48047150/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed
提问by Alexander Mills
I get this error when reloading my Chrome Extension:
重新加载 Chrome 扩展程序时出现此错误:
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:".
at new Function (<anonymous>)
at evalExpression (compiler.js:33919)
at jitStatements (compiler.js:33937)
at JitCompiler.webpackJsonp.../../../compiler/esm5/compiler.js.JitCompiler._interpretOrJit (compiler.js:34520)
at JitCompiler.webpackJsonp.../../../compiler/esm5/compiler.js.JitCompiler._compileTemplate (compiler.js:34448)
at compiler.js:34347
at Set.forEach (<anonymous>)
at JitCompiler.webpackJsonp.../../../compiler/esm5/compiler.js.JitCompiler._compileComponents (compiler.js:34347)
at compiler.js:34217
at Object.then (compiler.js:474)
I have this in my manifest.json:
我的 manifest.json 中有这个:
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
is there any other setting I can use to avoid that error?
我可以使用其他任何设置来避免该错误吗?
采纳答案by Simon Hyll
A chrome extension is not allowed to use unsafe-eval, or evalat all in fact.
不允许使用 chrome 扩展unsafe-eval,或者eval实际上根本不允许使用。
https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Content_Security_Policy
https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Content_Security_Policy
When making a Chrome extension understand that it's severely limited by Content Security Policies. Make sure you read and understand the WebExtensions Content Security Policy. If you want to have an inline script like:
在制作 Chrome 扩展程序时,要了解它受到内容安全政策的严重限制。确保您阅读并理解 WebExtensions 内容安全策略。如果你想要一个内联脚本,比如:
<script>
alert('hello')
</script>
You're gonna have to calculate the script tags contents into its SHA256 value and add that to your manifest in order for it to be allowed to be executed.
您必须将脚本标签内容计算为其 SHA256 值并将其添加到您的清单中,以便允许执行它。
回答by Randy
Took me a few hours but what you probably want to do is change the style of source mapping webpack uses. By default it uses eval.
我花了几个小时,但您可能想做的是更改 webpack 使用的源映射样式。默认情况下,它使用 eval。
https://webpack.js.org/configuration/devtool/
https://webpack.js.org/configuration/devtool/
I added this to my webpack.config.js:
devtool: 'cheap-module-source-map'
我将此添加到我的 webpack.config.js 中:
devtool: 'cheap-module-source-map'
The trick to this was figuring out why webpack --mode developmenthas the error and webpack --mode productiondidn't.
解决这个问题的诀窍是弄清楚为什么webpack --mode development有错误而webpack --mode production没有。
Also I'm using React not Polymer but I'm pretty sure this still applies.
此外,我使用的是 React 而不是 Polymer,但我很确定这仍然适用。
回答by takrishna
Interesting read to overcome via Manifest
有趣的阅读以克服通过清单
https://developer.chrome.com/extensions/contentSecurityPolicy
https://developer.chrome.com/extensions/contentSecurityPolicy
Evaluated JavaScript
The policy against eval() and its relatives like setTimeout(String), setInterval(String), and new Function(String) can be relaxed by adding 'unsafe-eval' to your policy:
评估 JavaScript
针对 eval() 及其类似 setTimeout(String)、setInterval(String) 和 new Function(String) 的策略可以通过在您的策略中添加“unsafe-eval”来放松:
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
However, we strongly recommend against doing this. These functions are notorious XSS attack vectors.
但是,我们强烈建议不要这样做。这些功能是臭名昭著的 XSS 攻击媒介。
回答by GabrielN
In my case working on an MVC 5 application, all I had to do was to install the Nuget package in Visual Studio: 'NWebsec.Mvc' and the application ran just fine.
在我处理 MVC 5 应用程序的情况下,我所要做的就是在 Visual Studio 中安装 Nuget 包:“NWebsec.Mvc”,应用程序运行得很好。
