We are interacting with a native messaging host to obtain a user-customizable script for mapping AuthRequest info to a Credential from their corporate password vault
Current plan, similar to prior release, was to use Function/AsyncFunction
new AsyncFunction(‘broker’, ‘“use strict”;’ + response.script + ‘;’)
new Function(’“use strict”;’ + response.subs + ‘;’);
Issue - On submitting next version for review
Cse wrote:
Extensions defining a content security policy that allows eval (‘unsafe-eval’) are generally not allowed for security and performance reasons. eval is only necessary in rare cases. Please use a different method
We don’t use eval, but creating a new Function/AsyncFunction seems to still require ‘unsafe-eval’ to be enabled, or something else we haven’t identified
We use these specifically to avoid eval believing them to have been more safe.
When ‘unsafe-eval’ is removed from CSP, Mozilla reports
Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”).
This doesn’t really tell us what went wrong or how to address, except by associated line with AsyncFunction
In Chrome, a similar issue is present and a little more helpful message
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'"
Questions - Can you advise on
- Is there some CSP for identifying text that came from native messaging that can be converted to a function? (like moz-extension:\nativemessaging ?)
- Is there some alternate way to have native messaging send the customizable function to the browser so it’s executable?
- Is there an alternate permissions, or alternate method of evaluating a string into active JS Ie.