plantinin / chrometophone

Automatically exported from code.google.com/p/chrometophone
0 stars 0 forks source link

Remove 'unsafe-eval' from the extension CSP #507

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
It looks like the only use of eval() in this extension is in 
https://code.google.com/p/chrometophone/source/browse/trunk/extension/channel.js
, which is using it to parse JSON. This is a particularly unsafe use of eval, 
since the returned JSON data could include arbitrary code, and it's easy to 
replace the use with JSON.parse().

I also see two setTimeout() calls in send_logic.js that could be fixed up by 
removing the quotes around their function argument.

And, finally, there's some Closure-junk in channel.js ('new 
Function("a","return a")'), which could be removed by re-importing 
https://talkgadget.google.com/talkgadget/channel.js or by textually replacing 
it with 'function(a){return a}'.

Original issue reported on code.google.com by jyasskin@chromium.org on 13 Dec 2013 at 12:35