This is a hack to enable third-party libraries that depend on a limited subset
eval semantics to work in Atom with a content security policy that forbids
require 'loophole'allowUnsafeEval ->crazyLibraryexploitLoophole # allows `eval(...)`allowUnsafeNewFunction ->crazyLibraryexploitLoophole # allows `new Function(...)`
You can also use the exported
Function constructor directly:
require 'loophole'f = "return 1 + 1;"
eval with a call to
won't perfectly emulate
eval but is good enough in certain circumstances, like
compiling PEG.js grammars.
allowUnsafeNewFunction temporarily replaces
loophole.Function, which passes the source of the desired function to
If there's a loophole, why even enable CSP? It still prevents developers from accidentally invoking eval with legacy libraries. For example, did you know that jQuery runs eval when you pass it content with script tags? If you want eval, you'll need to explicitly ask for it.