Add atom.allowUnsafeEval loophole and disable unsafe-eval again

With Node.js baked in, there's no water-tight way to prevent users from
evaluating code at runtime, at least with CSP alone. This is because
node exposes a 'vm' module that allows scripts to be compiled. There's
also `module._compile`, etc.

I think a reasonable compromise is to protect users from eval'ing code
by accident. This commit adds an atom.allowUnsafeEval method which
re-enables eval in the dynamic scope of the given function.

I then use this to compile the keystroke grammar which saves us the
complexity of pre-compiling it during specs.

What do people think?

src/atom.coffee

@@ -1,3 +1,4 @@
+vm = require 'vm'
 crypto = require 'crypto'
 ipc = require 'ipc'
 keytar = require 'keytar'
@@ -527,3 +528,11 @@ class Atom extends Model
         delete window[key]
       else
         window[key] = value
+
+  allowUnsafeEval: (fn) ->
+    oldEval = global.eval
+    try
+      global.eval = (source) -> vm.runInThisContext(source)
+      fn()
+    finally
+      global.eval = oldEval

src/key-binding.coffee

@@ -31,7 +31,7 @@ class KeyBinding
       catch
         keystrokePattern = fs.readFileSync(require.resolve('./keystroke-pattern.pegjs'), 'utf8')
         PEG = require 'pegjs'
-        @parser = PEG.buildParser(keystrokePattern)
+        atom.allowUnsafeEval => @parser = PEG.buildParser(keystrokePattern)
 
     @parser.parse(keystroke)
 

static/index.html

@@ -3,7 +3,7 @@
 <head>
   <title></title>
 
-  <meta http-equiv="Content-Security-Policy" content="default-src *; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';">
+  <meta http-equiv="Content-Security-Policy" content="default-src *; script-src 'self'; style-src 'self' 'unsafe-inline';">
 
   <script src="index.js"></script>
 </head>