Is unsafe-eval in manifest.json needed?

samuelsimoes / chrome-extension-webpack-boilerplate

A basic foundation boilerplate for rich Chrome Extensions using Webpack to help you write modular and modern Javascript code, load CSS easily and automatic reload the browser on code changes.

MIT License

1.7k stars 347 forks source link

Is unsafe-eval in manifest.json needed? #104

Open aguynamedben opened 3 years ago

aguynamedben commented 3 years ago

Thank you for making this boilerplate available. It's been very helpful.

We submitted an extension based on this repo to Microsoft Edge, and we got this recommendation in our feedback:

Why is unsafe-eval needed in manifest.json? I can't see why it's needed here. There are no eval()s in the codebase.

aguynamedben commented 3 years ago

Location of unsafe-eval: https://github.com/samuelsimoes/chrome-extension-webpack-boilerplate/blob/d764ce1405b5ce3af84a362947bd1f56c117cbdc/src/manifest.json#L15

hexgnu commented 2 years ago

When you run yarn build using NODE_ENV=development it will package it up using an eval in webpack. If you try NODE_ENV=production yarn build and remove the unsafe eval it should actually work as expected.

jcnventura commented 2 years ago

The unsafe-eval needs to be removed in 2022, since Chrome will stop accepting Manifest V2 extensions, and V3 extensions are not allowed to use unsafe-eval in the content_security_policy.