Skip to content

Instantly share code, notes, and snippets.

@blake-ctrl
Last active March 16, 2024 17:04
Show Gist options
  • Save blake-ctrl/778db8715556d1bc1af00338a8d755b9 to your computer and use it in GitHub Desktop.
Save blake-ctrl/778db8715556d1bc1af00338a8d755b9 to your computer and use it in GitHub Desktop.
Chromium Patch to allow Javascript 'unsafe-eval' in manifest v3 extensions. DEVELOPMENT TOOL TO ENABLE CLJS HOT-RELOADING
From 36a4180bd37e851686b95ac4aac5bfe22036ce49 Mon Sep 17 00:00:00 2001
From: root <root@chromium.lxd>
Date: Tue, 19 Sep 2023 02:53:45 +0000
Subject: [PATCH] Hacks to allow unsafe-eval in mv3 chrome extensions
---
chrome/browser/ash/system_web_apps/apps/terminal_source.cc | 2 +-
extensions/common/csp_validator.cc | 2 +-
extensions/common/manifest_handlers/csp_info.cc | 6 +++---
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/chrome/browser/ash/system_web_apps/apps/terminal_source.cc b/chrome/browser/ash/system_web_apps/apps/terminal_source.cc
index ea31108c25..938672aec4 100644
--- a/chrome/browser/ash/system_web_apps/apps/terminal_source.cc
+++ b/chrome/browser/ash/system_web_apps/apps/terminal_source.cc
@@ -241,7 +241,7 @@ std::string TerminalSource::GetContentSecurityPolicy(
case network::mojom::CSPDirectiveName::ObjectSrc:
return "object-src 'self';";
case network::mojom::CSPDirectiveName::ScriptSrc:
- return "script-src 'self' 'wasm-unsafe-eval';";
+ return "script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval';";
case network::mojom::CSPDirectiveName::WorkerSrc:
return "worker-src 'self';";
default:
diff --git a/extensions/common/csp_validator.cc b/extensions/common/csp_validator.cc
index 07a0e467c5..5206e8c954 100644
--- a/extensions/common/csp_validator.cc
+++ b/extensions/common/csp_validator.cc
@@ -719,7 +719,7 @@ bool DoesCSPDisallowRemoteCode(const std::string& content_security_policy,
return source_lower == kSelfSource || source_lower == kNoneSource ||
IsLocalHostSource(source_lower) ||
- source_lower == kWasmUnsafeEvalSource;
+ source_lower == kWasmUnsafeEvalSource || source_lower == "'unsafe-eval'";
});
if (it == directive_values.end())
diff --git a/extensions/common/manifest_handlers/csp_info.cc b/extensions/common/manifest_handlers/csp_info.cc
index 1fcbea13b4..2533766748 100644
--- a/extensions/common/manifest_handlers/csp_info.cc
+++ b/extensions/common/manifest_handlers/csp_info.cc
@@ -43,12 +43,12 @@ static const char kDefaultMV3CSP[] = "script-src 'self';";
// The minimum CSP to be used in order to prevent remote scripts.
static const char kMinimumMV3CSP[] =
- "script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules'; "
+ "script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' 'inline-speculation-rules'; "
"object-src 'self';";
// For unpacked extensions, we additionally allow the use of localhost files to
// aid in rapid local development.
static const char kMinimumUnpackedMV3CSP[] =
- "script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules' "
+ "script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' 'inline-speculation-rules' "
"http://localhost:* http://127.0.0.1:*; object-src 'self';";
#define PLATFORM_APP_LOCAL_CSP_SOURCES "'self' blob: filesystem: data:"
@@ -82,7 +82,7 @@ int GetValidatorOptions(Extension* extension) {
extension->GetType() == Manifest::TYPE_LEGACY_PACKAGED_APP) {
options |= csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL;
}
-
+ options |= csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL;
// Component extensions can specify an insecure object-src directive. This
// should be safe because non-NPAPI plugins should load in a sandboxed process
// and only allow communication via postMessage.
--
2.39.2
@blake-ctrl
Copy link
Author

blake-ctrl commented Sep 19, 2023

This patch can be used to build a modified Chromium browser that
allows Javascript evaluation from within Manifest V3 (MV3) browser extensions.

This was made specifically to enable ClojureScript hot-reloading with Shadow-cljs of a browser extension under development.

Inspiration comes from users dvingo and yqrashawn in this shadow-cljs issue thread: thheller/shadow-cljs#902

It has no safe use beyond being a development tool.

It should be possible to git apply this patch to Chromium source around commit 36a4180bd37e851686b95ac4aac5bfe22036ce49
and build by normal means.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment