Hello everyone,
Currently, when validating our extension to get Mozilla signing, I got this issue as below
Warning: Evaluation of strings as code can lead to security vulnerabilities and performance issues, even in the most innocuous of circumstances. Please avoid using eval
and the Function
constructor when at all possible.
Suggestions for passing automated signing:
Please try to avoid evaluating strings as code wherever possible. Read over the linked document for suggested alternatives. If you are referencing the Function
constructor without calling it, and cannot avoid continuing to do so, consider alternatives such as calling Object.getPrototypeOf
on an existing function object.
Source code:
const { classes: Cc, Constructor: CC, interfaces: Ci, utils: Cu, results: Cr, manager: Cm } = Components;
const bind = Function.call.bind(Function.bind);
...
return Object.freeze({ Cc: Cc, Ci: Ci, Cu: Cu, Cr: Cr, Cm: Cm,
CC: bind(CC, Components), components: Components, ChromeWorker: ChromeWorker });
I tried to remove bind() and it still works as well. But I know it is not good as original design. Could someone advise me how to change the code - as not use Function constructor but still keep the logic of original design?
Thank you so much.