Function("...") causes unsafe-eval CSP violation in Chrome extension

[deltaidea]

I'm trying to use react-form in my Chrome extension options page. It has regenerator-runtime as the transitive dependency that throws the error, so I figured I'll create an issue here.

Thanks for your time! I appreciate your support of the JS community.

Expected Behavior

regenerator-runtime works silently like a good boy.

Actual Behavior

require("regenerator-runtime") // Uncaught EvalError

Offending line: node_modules/regenerator-runtime/runtime-module.js:10

var g = (function() { return this })() || Function("return this")();

Version: [email protected]

Full error:

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:".

Environment

Chrome extension Options page, Chrome 63.0.3239.132 (64-bit), Windows 10

[deltaidea]

#292 (comment)

... it should be safe as long as you don't blindly concatenate all your JS together with the "use strict"; at the top ...

Unfortunately, strict mode is enforced in the extension environment. I'm guessing the same is true in other secure sandboxes such as Chrome apps and Atom plugins.

[JakeChampion]

@deltaidea I think the line can be changed to:

var g = (function() { return this ? this : typeof self !== 'undefined' ? self : undefined})() || Function("return this")();

[deltaidea]

Yeah, that works, thank you!

Can you guys please take a look and tell if this is a reasonable fix?
I'm gonna replace this package with a modified copy for now in my project.

[JakeChampion]

It should be a reasonable fix, self is the global object and works in Browsers' main thread as well as workers (Service Workers, Web Workers, Shared Workers etc).

[ijsnow]

This is also a problem with firefox extensions