Handlebars.js: Chrome extension manifest v2 restricts use of eval

This is inherit to the design of the framework. If you are running in an environment that you can not use dynamically generated javascript you will need to precompile your templates and include the generated output with your package.

This is troubling to me. Here's a quote from the Google page:

"We recognize, however, that a variety of libraries use eval() and eval-like constructs such as new Function() for performance optimization and ease of expression. Templating libraries are especially prone to this style of implementation. _While some (like Angular.js) support CSP out of the box,_ many popular frameworks haven't yet updated to a mechanism that is compatible with extensions' eval-less world. Removing support for that functionality has therefore proven more problematic than expected for developers."

So, some template systems can manage to be CSP-compliant, but not Handlebars? So, now that I've used Handlebars in my project, I'm stuck with 2 choices to get my app CSP-compliant:

1) Rip out Handlebars
2) Pre-compile all of my templates.

Given the dynamic nature of my templates, pre-compile isn't an option. So, now I have to rip out handlebars because this defect is closed.

Is it not possible to follow the CSP guide here?

"You can allow it by adding 'unsafe-eval' to your sources list"

That basically defeats the whole point of using a CSP to prevent injection.

FWIW, Cloudant (based on Apache CouchDB) recently changed their in-database script processing to also prevent eval() and new Function() https://console.bluemix.net/docs/services/Cloudant/release_info/deprecations.html#disabled-javascript-constructors

Precompiling templates into JS works for some scenarios, but not for all of them. It'd be great if there were other options, so that Handlebars.js could be used more places.

But...that might just be wishful thinking. :smiley: 💭