unsafe-eval in a Chrome extension's Content Security Policy permits dynamic code execution via eval(), new Function(), and related patterns — exactly the primitives an attacker uses in an XSS payload. Chrome Web Store (chrome-cws-csp-policy) blocks extensions with unsafe-eval in their CSP outright; there is no exception process. Beyond store rejection, allowing eval() in an extension context means any cross-site scripting vulnerability in the extension's pages can escalate to full browser API access, violating OWASP A03 (Injection) and CWE-95 (Improper Neutralization of Directives in Eval).
High because `unsafe-eval` causes Chrome Web Store rejection and enables XSS-to-extension-API escalation if any content is rendered dynamically.
Remove unsafe-eval, unsafe-inline, and unsafe-hashes from your manifest's CSP. The default restrictive policy applies if you omit the field entirely.
{
"content_security_policy": {
"extension_pages": "script-src 'self'; object-src 'self';"
}
}
If you currently use eval() for dynamic logic, refactor to static code or use chrome.scripting.executeScript with a declared function reference. Bundlers like esbuild and Webpack compile templates to static JS at build time, eliminating any need for runtime eval().
ID: extension-store-readiness.policy-compliance.csp-no-unsafe-eval
Severity: high
What to look for: Check the manifest's content_security_policy field (if present). Look for the strings unsafe-eval, unsafe-inline, or unsafe-hashes. These are security risks and not allowed in Chrome Web Store extensions.
Pass criteria: Count every directive in the CSP. 0 instances of unsafe-eval, unsafe-inline, or unsafe-hashes found in the content security policy. The CSP is either absent (defaults to secure policy) or uses a secure, restrictive policy.
Fail criteria: At least 1 instance of unsafe-eval, unsafe-inline, or unsafe-hashes in the manifest's CSP. Do NOT pass if unsafe-eval is present even in a development-only CSP — the manifest ships to production.
Skip (N/A) when: Never — CSP security is a Chrome Web Store requirement.
Detail on fail: "Manifest CSP includes 'unsafe-eval' in script-src" or "CSP allows unsafe-inline for styles".
Remediation: Remove unsafe directives from your CSP:
{
"content_security_policy": {
"extension_pages": "script-src 'self'; object-src 'self';"
}
}
If you need dynamic code execution, use chrome.scripting.executeScript instead of problematic patterns.