Atom Content Security Policy Error


#1

I have a atom package to converts js to coffeescript. It worked initially but after an atom update it now throws a Chrome CSP error related to the use of eval on the javascript.

This looks like something that’s common with chrome extensions and the rule can be relaxed via the manifest.json.

I don’t full understand the relationship between atom/chrome and atom packages/chrome extensions, so maybe someone can shed some light on that.

The error:

Failed to activate package named 'js2coffee' EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".
  at /Users/cabraham/.atom/packages/js2coffee/node_modules/js2coffee/out/lib/narcissus_packed.js:383:21
  at Object.<anonymous> (/Users/cabraham/.atom/packages/js2coffee/node_modules/js2coffee/out/lib/narcissus_packed.js:832:2)
  at Module._compile (module.js:455:26)
  at Object.Module._extensions..js (module.js:473:10)
  at Module.load (/Applications/Atom.app/Contents/Resources/app/node_modules/coffee-script/lib/coffee-script/register.js:45:36)
  at Function.Module._load (module.js:311:12)
  at Module.require (module.js:363:17)
  at require (module.js:379:17)

Adding a script to a frame (Atom's CSP)
Draft.js as the editor
Link to external js
#2

+1 for plugin permission on install.

My related post here.


#3

I’m having the same issue simply trying to run some JS in my view inside a atom package. This used to work just fine, but has since been disabled.


#4

+1

Anyone find any solutions to this? I’m trying to use ‘eval’ in my package and I’m currently stuck on this…


#5

Ah figured it out. Because Atom runs Node.js, I used Node’s ‘vm’ module instead of eval. The downside to this however is that I didn’t have access to the local scope like I would in eval.


#6

I just noticed that this broke my https://github.com/searls/atom-js2coffee plugin to. Is there any workaround but to load it into a node vm?


#7

Hello @Chandler, @searls, I found the workaround,

use loophole
{allowUnsafeEval} = require 'loophole’
js2coffee = allowUnsafeEval -> require ‘js2coffee’

you can see this commit :smile:


#8

Awesome @yhsiang thanks for that, I just merged your change. Plugin is working again!