mirror of
https://github.com/atom/atom.git
synced 2026-04-28 03:01:47 -04:00
Add atom.allowUnsafeEval loophole and disable unsafe-eval again
With Node.js baked in, there's no water-tight way to prevent users from evaluating code at runtime, at least with CSP alone. This is because node exposes a 'vm' module that allows scripts to be compiled. There's also `module._compile`, etc. I think a reasonable compromise is to protect users from eval'ing code by accident. This commit adds an atom.allowUnsafeEval method which re-enables eval in the dynamic scope of the given function. I then use this to compile the keystroke grammar which saves us the complexity of pre-compiling it during specs. What do people think?
This commit is contained in:
Nathan Sobo
@@ -3,7 +3,7 @@
|
||||
<head>
|
||||
<title></title>
|
||||
|
||||
<meta http-equiv="Content-Security-Policy" content="default-src *; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';">
|
||||
<meta http-equiv="Content-Security-Policy" content="default-src *; script-src 'self'; style-src 'self' 'unsafe-inline';">
|
||||
|
||||
<script src="index.js"></script>
|
||||
</head>
|
||||
|
||||
Reference in New Issue
Block a user