Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make runtime work within CSP restriction. #112

Closed
creationix opened this issue Apr 30, 2014 · 10 comments
Closed

Make runtime work within CSP restriction. #112

creationix opened this issue Apr 30, 2014 · 10 comments

Comments

@creationix
Copy link

In particular, I want to use regenerator to write chrome packaged apps like my tedit editor. But as soon as I tried this I realized that the runtime uses eval somewhere.

Is this a hard requirement of the runtime, or can it be modified to work without using eval (or it's variants like new Function, etc)?

I would love to use this for authoring chrome apps, but the last road-block is the runtime triggering CSP violations
@benjamn
Copy link
Collaborator

benjamn commented Apr 30, 2014

I think the only offending line is

regenerator/runtime/dev.js

Line 403 in df79c26

}).apply(this, Function("return [this, function GeneratorFunction(){}]")());
, which is needed to prevent the GeneratorFunction declaration from getting minified.

@creationix
Copy link
Author

Interesting. I guess worst case I can change the runtime before including in my app. I'm not sure which minifier you're using, but isn't there a way to just specify a whitelist of identifiers to not munge (perhaps in a comment block)?

@benjamn
Copy link
Collaborator

benjamn commented Apr 30, 2014

Yeah, that's always possible, but it depends on particular minifier interfaces, whereas this technique works everywhere. Does CSP support comments to ignore certain code?

@creationix
Copy link
Author

I've never heard of such a feature in CSP. I highly doubt that a comment can ever ignore valid code.

@benjamn
Copy link
Collaborator

benjamn commented Apr 30, 2014

I mean something like /* jslint evil: true */ (which temporarily makes jslint not complain about eval or Function).

@creationix
Copy link
Author

No, in chrome apps, CSP is not optional. It's a hard security requirement of the platform.
I did just get regenerator working by removing the eval https://github.com/creationix/jsconfbr2014/blob/cec50ac2060dc91fd7e371f2293099bff24c02f5/app/regenerator-runtime.js#L403

@creationix
Copy link
Author

Now with the workaround in my code from #111 https://github.com/creationix/jsconfbr2014/blob/cec50ac2060dc91fd7e371f2293099bff24c02f5/app-src/main.js and a hand modified runtime, I finally can author chrome apps on a chromebook using tedit and generators!

Here is my sample app using generators. https://github.com/creationix/jsconfbr2014/blob/cec50ac2060dc91fd7e371f2293099bff24c02f5/app-src/main.js
screen shot 2014-04-30 at 4 13 58 pm

@benjamn
Copy link
Collaborator

benjamn commented May 3, 2014

Maybe it makes sense to recommend people use https://github.com/facebook/regenerator/blob/master/runtime/min.js, and just make sure GeneratorFunction doesn't get minified in that file.

@bolinfest bolinfest mentioned this issue Nov 6, 2014
Closed
@benjamn
Copy link
Collaborator

benjamn commented Nov 6, 2014

Idea from benjamn/ast-types#72 (comment): either don't minify https://github.com/facebook/regenerator/blob/master/runtime.js, or make sure you minify it in such a way that GeneratorFunction does not get renamed. The latter requirement can be enforced by an assertion in https://github.com/facebook/regenerator/blob/master/runtime.js.

@benjamn benjamn closed this as completed in 49358bc Nov 6, 2014
@fkling
Copy link
Contributor

fkling commented Nov 7, 2014

@benjamn: Are you comparing the name so that the check works in environments that natively support generators (and GeneratorFunction)? Wouldn't

  runtime.isGeneratorFunction = function(genFun) {
    var ctor = genFun && genFun.constructor;
    return ctor ? 'GeneratorFunction' === ctor.name || ctor === GeneratorFunction : false;
  };

work well enough?

@benjamn benjamn mentioned this issue Dec 17, 2014
Closed
benjamn added a commit that referenced this issue Dec 20, 2014
@benjamn
Stop relying on GeneratorFunction.name in isGeneratorFunction.
049a955 
When Regenerator is in use, genFun.constructor will usually be strictly
equal to the GeneratorFunction function, but it could also be the native
GeneratorFunction constructor or a foreign non-native GeneratorFunction
somehow created by a different instance of runtime.js, and the most
reliable way to identify those two (rare) possibilities is by name (see

The native GeneratorFunction.name should be "GeneratorFunction", but if
the runtime has been minified, a foreign non-native GeneratorFunction may
be identifiable only by the .displayName property that we set here. Though
it might seem better to set .name to "GeneratorFunction", that property is
not writable in some browsers.

Another approach (tried in #63) was to create the GeneratorFunction
constructor by evaluating a string (in an attempt to thwart minification),
but that had the unfortunate side effect of violating CSP: #112.

Fixes #156.
@benjamn benjamn mentioned this issue Apr 28, 2017
Merged
@danielterwiel danielterwiel mentioned this issue Dec 13, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@benjamn @creationix @fkling