The Chrome API’s Manifest version 2 has removed the ability to do unsafe-eval. This

Question

0

Asked: June 8, 20262026-06-08T03:32:05+00:00 2026-06-08T03:32:05+00:00

The Chrome API’s Manifest version 2 has removed the ability to do unsafe-eval. This

0

The Chrome API’s Manifest version 2 has removed the ability to do unsafe-eval. This means using the eval function or in general dynamically creating a function from text.

It seems like most if not all Javascript Templating Engines do this. I was using Jaml, but I tried several others like backbone.js (which really uses underscore.js’s templating engine) with no luck.

This comment on the Chromium project seems to indicate that there are a great many libraries that suffer from this.

I think Angular.js has a CSP-safe mode, but Angular.js is really too big for what we need. We just need a fairly basic templating engine and don’t need models or controllers and such. Does anyone know about any CSP-compatbility templating engines out there?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-08T03:32:07+00:00

Editorial Team

2026-06-08T03:32:07+00:00Added an answer on June 8, 2026 at 3:32 am

The best solution to this problem is to pre-compile your templates before you deploy your extension. Both handlebarsjs and eco offer pre-compilation as a feature. I actually wrote a blog post that goes into more depth.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

The Chrome API’s Manifest version 2 has removed the ability to do unsafe-eval. This

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply