Some thoughts about Webix in Chrome Extensions

Site and Services
#1

Hello!

Recently I was playing with webix in chrome extensions and had to loosen extension restrictions in manifest due to eval/Function() usage, inline style addition and one of the things I couldn’t resolve loosening restrictions: “view: iframe” injects inline event handler(onload) which causes error
Refused to execute inline event handler because it violates the following Content Security Policy directive: “script-src ‘self’ ‘unsafe-eval’”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-…’), or a nonce (‘nonce-…’) is required to enable inline execution.

I tried removing “onload” handler which you are injecting, but everything stopped working. In the end I work arounded using htmlform with iframe template.

You can download extension at:

Also wanted to note that I commented line in webix_debug.js where I try to remove iframe onload handler, here’s the line:
// $(top_node._viewobj).find(‘iframe’).attr(‘onload’, null)

So in the end “view: iframe”'s onload handler renders iframe component unusable.

Thank you! :slight_smile:

#2

Eval used only in one place and can be easily replaced with JSON.parse for modern browsers.
The “Function” is heavily used for templating, so it can’t be fully disabled

Iframe event handler is placed in try|catch. It is expected that it will fail in most cases ( it will work only for sub-pages from the same domain )

We can add some kind of “strict mode” flag, that will disable eval and iframe handler usage. Still the problem with templates doesn’t have a simple solution.

#3

Chrome extensions treats both eval/Function the same, so eliminating only one of them won’t have any effect. So, my thoughts are - don’t bother with eval replacement, since it’s not the deal breaker.
That “strict mode” for eliminating inline handlers is a good idea, though!

Спасибо :slight_smile: