Addon's usage of JS from native messaging source

Add-ons Development
#1

We are interacting with a native messaging host to obtain a user-customizable script for mapping AuthRequest info to a Credential from their corporate password vault

Current plan, similar to prior release, was to use Function/AsyncFunction
new AsyncFunction(‘broker’, ‘“use strict”;’ + response.script + ‘;’)
new Function(’“use strict”;’ + response.subs + ‘;’);

Issue - On submitting next version for review

Cse wrote:

Extensions defining a content security policy that allows eval (‘unsafe-eval’) are generally not allowed for security and performance reasons. eval is only necessary in rare cases. Please use a different method

We don’t use eval, but creating a new Function/AsyncFunction seems to still require ‘unsafe-eval’ to be enabled, or something else we haven’t identified
We use these specifically to avoid eval believing them to have been more safe.

When ‘unsafe-eval’ is removed from CSP, Mozilla reports
Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”).
This doesn’t really tell us what went wrong or how to address, except by associated line with AsyncFunction

In Chrome, a similar issue is present and a little more helpful message
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'"

Questions - Can you advise on

  • Is there some CSP for identifying text that came from native messaging that can be converted to a function? (like moz-extension:\nativemessaging ?)
  • Is there some alternate way to have native messaging send the customizable function to the browser so it’s executable?
  • Is there an alternate permissions, or alternate method of evaluating a string into active JS Ie.
#2

That is because they are essentially eval.

I mostly wonder why the entire script has to be pre-generated, and if you couldn’t just pass in the data required for the script to take the correct action from native messaging?

Also note, if you want to discuss about specifics of a review, it’s best to reply within the review thread on addons.mozilla.org. So I’m assuming you are seeking general advice for how to deal with not using eval.

#3

Thanks Martin,

On pre-generate
We have an existing scripting language, rather than trying to rebuild the parser for that in JS, or building a table of actions data and custom runner, it seemed more efficient to ‘compile’ it across to JS using our existing tech. The eval issues came up close to our previous release point and distribution, where we found the documentation the Function/AsyncFunction were safer.

On discussing review
I’m a bit divorced from the distribution to stores and don’t normally access AMO.
I have been replying to the thread via email, but on asking this sort of question there was advised to ask dev question here. Is there some alternate method in AMO to communicate? Is there some way of seeking exception as we work to improve this?

Have now found the right email for AMO and the extension, have been able to look at the AMO dev dashboard and product, but I can’t seem to find a way to interact with the thread there.

I guess finally with a statement of ‘Please use a different method’ doesn’t leave much scope for ongoing discussion such as how to negotiate if this is such a rare case, especially with the threat of removal from store.

#4

I don’t think you will get an exception here…
Eval is evil. That’s it.
If you need user scripts, maybe you can use userScripts API: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/userScripts

But if you just need to control your addon from external app, then using simple actions messages with attached data feels like much better solution.