我正在尝试创建一个 Web 扩展,允许将 Desmos 计算器用作扩展中的弹出窗口。我让它工作了,但我必须在清单的“content_security_policy”部分使用“unsafe_eval”,我知道这是一个很大的安全风险。有没有办法让它在没有“unsafe_eval”的情况下工作?
代码:
清单.json
{
"manifest_version": 2,
"name": "Desmos Extension",
"version": "1.0",
"description": "Desmos scientific calculator which can be brought up as an extension popup.",
"content_security_policy": "script-src 'self' 'unsafe-eval' https://www.desmos.com/api/v1.5/calculator.js; object-src 'self'",
"browser_action": {
"default_popup": "popup.html",
"default_title": "Desmos"
}
}
popup.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Calculator</title>
<link rel="stylesheet" href="styles.css">
</head>
<body>
<div id="calculator"></div>
<script src="https://www.desmos.com/api/v1.5/calculator.js?apiKey=dcb31709b452b1cf9dc26972add0fda6"></script>
<script src="calc.js"></script>
</body>
</html>
计算.js
const elt = document.getElementById('calculator');
const calculator = Desmos.ScientificCalculator(elt);