JavaScript的模板引擎,随着Chrome的内容安全政策工作 [英] Javascript Template Engines that work with Chrome's Content Security Policy
问题描述
中的Chrome API的清单版本2已取消做不安全-EVAL的能力。这意味着使用eval功能或在一般动态创建从文本的功能。
The Chrome API's Manifest version 2 has removed the ability to do unsafe-eval. This means using the eval function or in general dynamically creating a function from text.
这似乎是大多数,如果不是所有的Javascript模板引擎做到这一点。我用JAML,但我试过几个类似Backbone.js的(真正的使用underscore.js的模板引擎),没有运气。
It seems like most if not all Javascript Templating Engines do this. I was using Jaml, but I tried several others like backbone.js (which really uses underscore.js's templating engine) with no luck.
在Chromium项目似乎表明此评论还有,从这个遭受了大量的库。
This comment on the Chromium project seems to indicate that there are a great many libraries that suffer from this.
我觉得Angular.js有CSP-安全模式,但Angular.js实在是太大了,我们所需要的。我们只需要一个相当基本的模板引擎,不需要模型或控制器和这样的。有谁知道任何CSP-compatbility模板引擎在那里?
I think Angular.js has a CSP-safe mode, but Angular.js is really too big for what we need. We just need a fairly basic templating engine and don't need models or controllers and such. Does anyone know about any CSP-compatbility templating engines out there?
推荐答案
解决这个问题的最佳解决方案是$ P $您部署的扩展之前对编译模板。这两个 handlebarsjs 和生态报价pre-编译为特征。其实,我写了<一个href=\"http://matthewrobertson.org/blog/2012/07/10/javascript-templates-and-chromes-content-security-policy/\">blog帖子是进入更深入。
The best solution to this problem is to pre-compile your templates before you deploy your extension. Both handlebarsjs and eco offer pre-compilation as a feature. I actually wrote a blog post that goes into more depth.
这篇关于JavaScript的模板引擎,随着Chrome的内容安全政策工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
