Avoid using the Function constructor to benefit a strong CSP implementation

[rjbultitude]

I've implemented CSP on my application so as to reduce the risk of XSS, but the app now fails with Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source because of the use of the Function constructor in webworkify.

If another approach is possible it would really help anyone who is trying to prevent code being run maliciously.

Just to confirm, the only way I can get my app working again is to allow the use of eval and Function via the 'unsafe-eval' source in my script directive.

Thanks for a great tool though :]

[anandthakker]

See #31 . However, even with that change, webworkify relies on creating a worker using a Blob URL, which is functionally equivalent to eval -- so this may not really solve your problem, unfortunately :(

[rjbultitude]

Thanks for the info. PR #31 does look like it will solve the issue in that it will not fail on the use of Function. I appreciate that the use of the Blob URL is likely to cause another error, though I believe that can be handled in a CSP with a different directive such as: object-src 'self' blob:

[anandthakker]

Done in #31, published as 1.5.0