Avoid unsafe-eval CSP errors in Electron. [closes standard-things#601]

Author: jdalton

.eslintrc.js

@@ -9,9 +9,10 @@ module.exports = {
   extends: ["eslint:recommended", "plugin:import/errors"],
   globals: {
     __external__: false,
+    __global__: false,
+    __jest__: false,
     __non_webpack_module__: false,
     __non_webpack_require__: false,
-    __jest__: false,
     __shared__: false,
     jest: false,
     WebAssembly: false

esm.js

@@ -1,5 +1,4 @@
 /* eslint strict: off, node/no-unsupported-features: ["error", { version: 6 }] */
-"use strict"
 
 const {
   apply,
@@ -104,6 +103,7 @@ function compileESM() {
   }
 
   const script = new Script(
+    "const __global__ = this;" +
     "(function (require, module, __jest__, __shared__) { " +
     content +
     "\n});",
@@ -123,7 +123,9 @@ function compileESM() {
   } else {
     result = apply(runInNewContext, script, [{
       __proto__: null,
-      global: Function("return this")()
+      global: (function () {
+        return this
+      })()
     }, options])
   }
 

src/shared.js

@@ -96,7 +96,7 @@ function init() {
     pendingScripts: { __proto__: null },
     pendingWrites: { __proto__: null },
     reloaded: false,
-    safeGlobal: Function("return this")(),
+    safeGlobal: __global__,
     support,
     symbol,
     unsafeGlobal: global,
@@ -115,7 +115,8 @@ function init() {
   })
 
   setDeferred(shared, "customInspectKey", () => {
-    const { customInspectSymbol } = shared.module.safeUtil
+    const { safeUtil } = shared.module
+    const { customInspectSymbol } = safeUtil
 
     return typeof customInspectSymbol === "symbol"
       ? customInspectSymbol
@@ -129,7 +130,10 @@ function init() {
   })
 
   setDeferred(shared, "originalConsole", () => {
-    const { safeInspector, safeVM } = shared.module
+    const {
+      safeInspector,
+      safeVM
+    } = shared.module
 
     return (safeInspector && safeInspector.console) ||
       new safeVM.Script("console").runInNewContext()
@@ -146,37 +150,48 @@ function init() {
   })
 
   setDeferred(shared, "runtimeName", () => {
+    const { safeCrypto } =  shared.module
+
     return encodeId(
       "_" +
-      shared.module.safeCrypto.createHash("md5")
+      safeCrypto.createHash("md5")
         .update(Date.now().toString())
         .digest("hex")
         .slice(0, 3)
     )
   })
 
   setDeferred(shared, "unsafeContext", () => {
-    const { safeVM, utilPrepareContext } = shared.module
+    const {
+      safeVM,
+      utilPrepareContext
+    } = shared.module
 
     return utilPrepareContext(safeVM.createContext(shared.unsafeGlobal))
   })
 
   setDeferred(support, "await", () => {
+    const { safeVM } = shared.module
+
     try {
-      Function("async()=>await 1")()
+      new safeVM.Script("async()=>await 1").runInThisContext()
       return true
     } catch {}
 
     return false
   })
 
   setDeferred(support, "createCachedData", () => {
-    return typeof shared.module.safeVM.Script.prototype.createCachedData === "function"
+    const { safeVM } = shared.module
+
+    return typeof safeVM.Script.prototype.createCachedData === "function"
   })
 
   setDeferred(support, "inspectProxies", () => {
+    const { safeUtil } = shared.module
+
     // Node < 6.1.0 does not support inspecting proxies.
-    const inspected = shared.module.safeUtil.inspect(dummyProxy, {
+    const inspected = safeUtil.inspect(dummyProxy, {
       depth: 1,
       showProxy: true
     })
@@ -203,10 +218,12 @@ function init() {
   })
 
   setDeferred(support, "nativeProxyReceiver", () => {
+    const { SafeBuffer } = shared.module
+
     // Detect support for invoking native functions with a proxy receiver.
     // https://bugs.chromium.org/p/v8/issues/detail?id=5773
     try {
-      const proxy = new Proxy(shared.module.SafeBuffer.alloc(0), {
+      const proxy = new Proxy(SafeBuffer.alloc(0), {
         get: (target, name) => target[name]
       })
 
@@ -220,7 +237,10 @@ function init() {
   })
 
   setDeferred(support, "replShowProxy", () => {
-    const { safeProcess, utilSatisfies } = shared.module
+    const {
+      safeProcess,
+      utilSatisfies
+    } = shared.module
 
     return utilSatisfies(safeProcess.version, ">=10")
   })
@@ -238,7 +258,10 @@ function init() {
   })
 
   setDeferred(utilBinding, "hiddenKeyType", () => {
-    const { safeProcess, utilSatisfies } = shared.module
+    const {
+      safeProcess,
+      utilSatisfies
+    } = shared.module
 
     return utilSatisfies(safeProcess.version, "<7")
       ? "string"

src/shim/function-prototype-to-string.js

@@ -9,10 +9,7 @@ function init() {
   const Shim = {
     enable(context) {
       const cache = shared.memoize.shimFunctionPrototypeToString
-
-      // Avoid a silent fail accessing `context.Function` in Electron 1.
-      const funcCtor = Function("c", "return c.Function")(context)
-      const funcProto = funcCtor.prototype
+      const funcProto = context.Function.prototype
 
       if (check(funcProto, cache)) {
         return context