Skip to content

Instantly share code, notes, and snippets.

@dissoc
Forked from blake-ctrl/allow-unsafe-eval.patch
Created February 22, 2024 08:38
Show Gist options
  • Save dissoc/666c3035fd7189b848adf0d64b788180 to your computer and use it in GitHub Desktop.
Save dissoc/666c3035fd7189b848adf0d64b788180 to your computer and use it in GitHub Desktop.
Chromium Patch to allow Javascript 'unsafe-eval' in manifest v3 extensions. DEVELOPMENT TOOL TO ENABLE CLJS HOT-RELOADING
From 36a4180bd37e851686b95ac4aac5bfe22036ce49 Mon Sep 17 00:00:00 2001
From: root <root@chromium.lxd>
Date: Tue, 19 Sep 2023 02:53:45 +0000
Subject: [PATCH] Hacks to allow unsafe-eval in mv3 chrome extensions
---
chrome/browser/ash/system_web_apps/apps/terminal_source.cc | 2 +-
extensions/common/csp_validator.cc | 2 +-
extensions/common/manifest_handlers/csp_info.cc | 6 +++---
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/chrome/browser/ash/system_web_apps/apps/terminal_source.cc b/chrome/browser/ash/system_web_apps/apps/terminal_source.cc
index ea31108c25..938672aec4 100644
--- a/chrome/browser/ash/system_web_apps/apps/terminal_source.cc
+++ b/chrome/browser/ash/system_web_apps/apps/terminal_source.cc
@@ -241,7 +241,7 @@ std::string TerminalSource::GetContentSecurityPolicy(
case network::mojom::CSPDirectiveName::ObjectSrc:
return "object-src 'self';";
case network::mojom::CSPDirectiveName::ScriptSrc:
- return "script-src 'self' 'wasm-unsafe-eval';";
+ return "script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval';";
case network::mojom::CSPDirectiveName::WorkerSrc:
return "worker-src 'self';";
default:
diff --git a/extensions/common/csp_validator.cc b/extensions/common/csp_validator.cc
index 07a0e467c5..5206e8c954 100644
--- a/extensions/common/csp_validator.cc
+++ b/extensions/common/csp_validator.cc
@@ -719,7 +719,7 @@ bool DoesCSPDisallowRemoteCode(const std::string& content_security_policy,
return source_lower == kSelfSource || source_lower == kNoneSource ||
IsLocalHostSource(source_lower) ||
- source_lower == kWasmUnsafeEvalSource;
+ source_lower == kWasmUnsafeEvalSource || source_lower == "'unsafe-eval'";
});
if (it == directive_values.end())
diff --git a/extensions/common/manifest_handlers/csp_info.cc b/extensions/common/manifest_handlers/csp_info.cc
index 1fcbea13b4..2533766748 100644
--- a/extensions/common/manifest_handlers/csp_info.cc
+++ b/extensions/common/manifest_handlers/csp_info.cc
@@ -43,12 +43,12 @@ static const char kDefaultMV3CSP[] = "script-src 'self';";
// The minimum CSP to be used in order to prevent remote scripts.
static const char kMinimumMV3CSP[] =
- "script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules'; "
+ "script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' 'inline-speculation-rules'; "
"object-src 'self';";
// For unpacked extensions, we additionally allow the use of localhost files to
// aid in rapid local development.
static const char kMinimumUnpackedMV3CSP[] =
- "script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules' "
+ "script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' 'inline-speculation-rules' "
"http://localhost:* http://127.0.0.1:*; object-src 'self';";
#define PLATFORM_APP_LOCAL_CSP_SOURCES "'self' blob: filesystem: data:"
@@ -82,7 +82,7 @@ int GetValidatorOptions(Extension* extension) {
extension->GetType() == Manifest::TYPE_LEGACY_PACKAGED_APP) {
options |= csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL;
}
-
+ options |= csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL;
// Component extensions can specify an insecure object-src directive. This
// should be safe because non-NPAPI plugins should load in a sandboxed process
// and only allow communication via postMessage.
--
2.39.2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment