search

Morglod / tseep

Fastest event emitter in the world for js (and only 381 bytes in build)
https://github.com/Morglod/tseep/blob/master/benchmarks/README.md
MIT License
176 stars 5 forks source link

[Chrome Extension] Uses eval for runtime codegenerations; don't be afraid of it #23

Open Czino opened 2 weeks ago

Czino commented 2 weeks ago

I found that in the context of Chrome extensions, the CSP is much stricter and does not allow and cannot be further relaxed

EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval'".

    at bakeCollection (bake-collection.ts:116:34)

Therefore this package cannot be used as a dependency if you want to develop Chrome Extensions, it looks like Google Devs are afraid of it. Furthermore, I encountered this error because tseep is used as a sub dependency.

Morglod commented 1 week ago

@Czino will add fallback to it

As a workaround for now it could be sandboxed or unsafe-eval in manifest

Czino commented 1 week ago

While developing it's no problem to lax the security policy but unsafe-eval is not a valid configuration in the manifest

Thank you for your consideration in regards to the fallback.

Morglod commented 5 days ago

@Czino

Just added new version, please check it.

Change is pretty simple (fallback may take more bundle size):

// from
import { EventEmitter } from "tseep";

// to
import { EventEmitter } from "tseep/lib/ee-safe";
import { EventEmitter } from "tseep/lib/fallback"; // auto switch if eval is restricted