Atom Content Security Policy Error


I have a atom package to converts js to coffeescript. It worked initially but after an atom update it now throws a Chrome CSP error related to the use of eval on the javascript.

This looks like something that’s common with chrome extensions and the rule can be relaxed via the manifest.json.

I don’t full understand the relationship between atom/chrome and atom packages/chrome extensions, so maybe someone can shed some light on that.

The error:

Failed to activate package named 'js2coffee' EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".
  at /Users/cabraham/.atom/packages/js2coffee/node_modules/js2coffee/out/lib/narcissus_packed.js:383:21
  at Object.<anonymous> (/Users/cabraham/.atom/packages/js2coffee/node_modules/js2coffee/out/lib/narcissus_packed.js:832:2)
  at Module._compile (module.js:455:26)
  at Object.Module._extensions..js (module.js:473:10)
  at Module.load (/Applications/
  at Function.Module._load (module.js:311:12)
  at Module.require (module.js:363:17)
  at require (module.js:379:17)

Adding a script to a frame (Atom's CSP)
Link to external js
Draft.js as the editor

+1 for plugin permission on install.

My related post here.


I’m having the same issue simply trying to run some JS in my view inside a atom package. This used to work just fine, but has since been disabled.



Anyone find any solutions to this? I’m trying to use ‘eval’ in my package and I’m currently stuck on this…


Ah figured it out. Because Atom runs Node.js, I used Node’s ‘vm’ module instead of eval. The downside to this however is that I didn’t have access to the local scope like I would in eval.


I just noticed that this broke my plugin to. Is there any workaround but to load it into a node vm?


Hello @Chandler, @searls, I found the workaround,

use loophole
{allowUnsafeEval} = require 'loophole’
js2coffee = allowUnsafeEval -> require ‘js2coffee’

you can see this commit :smile:


Awesome @yhsiang thanks for that, I just merged your change. Plugin is working again!