mirror of
https://github.com/pulsar-edit/pulsar.git
synced 2024-11-09 13:15:37 +03:00
5e8213d45f
With Node.js baked in, there's no water-tight way to prevent users from evaluating code at runtime, at least with CSP alone. This is because node exposes a 'vm' module that allows scripts to be compiled. There's also `module._compile`, etc. I think a reasonable compromise is to protect users from eval'ing code by accident. This commit adds an atom.allowUnsafeEval method which re-enables eval in the dynamic scope of the given function. I then use this to compile the keystroke grammar which saves us the complexity of pre-compiling it during specs. What do people think?
13 lines
279 B
HTML
13 lines
279 B
HTML
<!DOCTYPE html>
|
|
<html style="background: #fff">
|
|
<head>
|
|
<title></title>
|
|
|
|
<meta http-equiv="Content-Security-Policy" content="default-src *; script-src 'self'; style-src 'self' 'unsafe-inline';">
|
|
|
|
<script src="index.js"></script>
|
|
</head>
|
|
<body tabindex="-1">
|
|
</body>
|
|
</html>
|