Chrome extension refused to evaluate a string as JavaScript because ‘unsafe-eval’ in emscripten generated file

-s NO_DYNAMIC_EXECUTION=1 removes eval() and new Function() from generated code.

https://github.com/emscripten-core/emscripten/blob/master/src/settings.js#L1030

When set to 0, we do not emit eval() and new Function(), which disables some functionality (causing runtime errors if attempted to be used), but allows the emitted code to be acceptable in places that disallow dynamic code execution (chrome packaged app, privileged firefox app, etc.). Pass this flag when developing an Emscripten application that is targeting a privileged or a certified execution environment, see Firefox Content Security Policy (CSP) webpage for details: https://developer.mozilla.org/en-US/Apps/Build/Building_apps_for_Firefox_OS/CSP When this flag is set, the following features (linker flags) are unavailable: –closure 1: When using closure compiler, eval() would be needed to locate the Module object. -s RELOCATABLE=1: the function Runtime.loadDynamicLibrary would need to eval(). –bind: Embind would need to eval(). Additionally, the following Emscripten runtime functions are unavailable when DYNAMIC_EXECUTION=0 is set, and an attempt to call them will throw an exception:

  • emscripten_run_script(),
  • emscripten_run_script_int(),
  • emscripten_run_script_string(),
  • dlopen(),
  • the functions ccall() and cwrap() are still available, but they are restricted to only being able to call functions that have been exported in the Module object in advance.

When set to -s DYNAMIC_EXECUTION=2 flag is set, attempts to call to eval() are demoted to warnings instead of throwing an exception.

CLICK HERE to find out more related problems solutions.

Leave a Comment

Your email address will not be published.

Scroll to Top