Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You can't eval in extension context, but injecting a <script> would work given the permission that lets you edit the page's DOM.


Ah, thought it was allowed with 'unsafe-eval' in extension CSP. Never had a need for it. Remote code refers to injecting <script> tags into the page then?


When running as a WebExtension you have a higher set of permissions than a regular script (you can to some degree control the browser, after all), so certain parts of JavaScript is off-limits.

eval() is one of those things.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: