RSS Feed

JavaScript Templating with Chrome Extensions' Manifest Version 2



Google Chrome's manifest version 2 imposed some new security limitations, among them:

You can’t use string-to-JavaScript methods like eval and function(){}.

Seems rather harmless, you probably don't use eval anyway, right?

Wrong. If you use JS templates like most of the cool kids do, it's likely your templating-framework of choice might uses eval or perhaps new Function somewhere. That means the only way you could keep using it in a manifest 2 extension is via ugly sandboxing.

If you already have tons of templates and you don't wanna switch, that's cool. Go create a temaplting-sandbox and share on github so we could all enjoy.

But if you don't have too many existing templates, or are just starting development and trying to pick a templating solution which will work, My recommendation is Mustache. More specifically, this fork of mustache, which @addyosmani changed to comply with CSP.

Mustache is logic-less templating, which makes sense for the CSP use case — If you don't have embedded logic, you never have to generate functions from strings.

I faced this challenge with an established app which has only one little underscore.js template. Converting it to Mustache, including learning Mustache, took ~5 minutes, and IMHO it's now more neat. Go check Mustache out.

What do you think?