Need your help on "Access to the `Function` global" issue

Hello everyone,

Currently, when validating our extension to get Mozilla signing, I got this issue as below

Warning: Evaluation of strings as code can lead to security vulnerabilities and performance issues, even in the most innocuous of circumstances. Please avoid using eval and the Function constructor when at all possible.

Suggestions for passing automated signing:
Please try to avoid evaluating strings as code wherever possible. Read over the linked document for suggested alternatives. If you are referencing the Function constructor without calling it, and cannot avoid continuing to do so, consider alternatives such as calling Object.getPrototypeOf on an existing function object.

Source code:

const { classes: Cc, Constructor: CC, interfaces: Ci, utils: Cu, results: Cr, manager: Cm } = Components;
const bind = Function.call.bind(Function.bind);
...
    return Object.freeze({ Cc: Cc, Ci: Ci, Cu: Cu, Cr: Cr, Cm: Cm,
      CC: bind(CC, Components), components: Components, ChromeWorker: ChromeWorker });

I tried to remove bind() and it still works as well. But I know it is not good as original design. Could someone advise me how to change the code - as not use Function constructor but still keep the logic of original design?

Thank you so much.

That code will pass review, but it will continue to be flagged because of the use of Function. Some developers use Function like they would use eval, which is why we flag all instances of Function. It shouldn’t be a problem in your case, though.

1 Like

Thank you @jorgev for your support.

I got help and changed the code to

function bind (fn, ctx) {
    return function (...args) {
        fn.apply(ctx, ...args);
    };
} 

This code will pass review and keep the same functionality.