CSP script-src violations

[elennaro]

I try to implement Content Security Policy on a game written using Phaser.js in Cordova for mobile.

I have my security rules set pretty ok:

Content-Security-Policy: default-src 'self'; 
script-src 'self' *.example.com *.google-analytics.com mc.yandex.ru;
style-src *.example.com;
img-src 'self' *.example.com;
frame-src *.example.com;
connect-src *.example.com ws://api.example.com wss://api.example.com"

Where example.com is some hosting i use to do some back-end logic and statistics.

However Chrome shows me next errors:

1. Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src ...
   phaser.js:34155 ... phaser.js:70453
2. Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src ...
   phaser.js:34155 ... phaser.js:70453

Here's the code:

// The accessor creates a new Signal (and so it should only be used from user-code.)
    Object.defineProperty(Phaser.Events.prototype, prop, {
        get: new Function("return "+backing+" || ("+backing+" = new Phaser.Signal())") //line 34155
    });
...
}).call(this); //line 70453 

I don't really want to use 'unsafe-eval' for script-src, especially since it is not recommended.

Please read Content Security Policy Specs for more information.

[photonstorm]

Ah damn, yes I've seen this in the forum too (http://www.html5gamedevs.com/topic/11410-phaser-221-can-no-longer-create-google-chrome-apps/#entry66007) where it stops Phaser games working as Chrome Apps any more as well, for the same reason.

It was a recent change by @pnstickne but we'll obviously have to find a work-around for it, because we can't leave it in this state. Will flag as high priority for the next release.

[elennaro]

Thanks. It could be great!
P.S. Merry Christmas and Happy New Year :)

[pnstickne]

I'll get a patch in later today - I didn't realize there was a restriction.

The fix is changing the evals into closures (it won't affect the approach itself at all); that was me trying to be clever and not have the enclosing scope closed over and possibly take advantage of JS compiler interning - "don't ask".

[photonstorm]

@elennaro would you mind testing the dev branch please? (you'll have to build phaser using grunt, but otherwise it should be good to go).

[elennaro]

@photonstorm, it works! Thank you!
I've managed to build phaser with grunt. Used files from dist folder. And no more CSP errors!
Should I close the issue now?

[photonstorm]

Great stuff, thanks. I'll close this off once I've checked a few more things.