Error generated when using new Function() constrcutor in templating due to Content Security Policy blocking unsafe generated js code

[KKamaa]

There is an error when using the release versions of Odoo Owl to create borwser extensions because of the new manifest v3 rules regarding Content Security Policy directive basicall, You cannot run code with unsafe eval in manifest v3 , if you are using any bundlers like webpack or vite , you can change the code not to use eval or check package bundle if it contains any eval , here are the list of syntax you are not suppose to use in manifest 3:

• eval()
• setTimeout()
• setInterval()
• Function()
• setImmediate()
• execScript()

So in the owl library owl.iife.js the use of new Function when generating a template will not work if the library will be used in a design of a browser extenison. Its best you guys make functions considering manifest v3 rules.

let { text, createBlock, list, multi, html, toggler, comment } = bdom;
  // Template name: "__template__1"

  let block1 = createBlock(`<h2>Hello world</h2>`);

  return function template(ctx, node, key = "") {
    return block1();
  }

can be write as js code to handle it.

[ged-odoo]

Dear @KKamaa It's true that one cannot run the complete owl build in a browser extension. This is indeed because of security restrictions that prevent creating new function dynamically. However, this problem can be easily (!) solved by precompiling templates, which owl supports. See:

https://github.com/odoo/owl/blob/master/doc/reference/precompiling_templates.md

Owl can work with xml templates (and will compile them on the fly then, but this does not work in your case) or with compiled templates directly. You can check owl own browser extension to see how it can be done: https://github.com/odoo/owl/tree/master/tools/devtools