Remove lax CSP/eval from production builds

ext/build.js

@@ -8,6 +8,8 @@ const package = require("./package.json");
 const appPackage = require("../app/package.json");
 
 
+const INCLUDE_PATH = path.resolve(__dirname, "src");
+
 const DIST_PATH = path.join(__dirname, "../dist/ext");
 const UNPACKED_PATH = path.join(DIST_PATH, "unpacked");
 
@@ -36,11 +38,12 @@ if (argv.package) {
 
 // Import webpack config and specify env values
 const webpackConfig = require("./webpack.config.js")({
+    includePath: INCLUDE_PATH
     /**
      * If watching files, output directly to dist. Unpacked
      * directory is used as a staging area for web-ext builds.
      */
-    outputPath: argv.package
+  , outputPath: argv.package
         ? UNPACKED_PATH
         : DIST_PATH
 
@@ -50,10 +53,18 @@ const webpackConfig = require("./webpack.config.js")({
   , applicationName: appPackage.__applicationName
   , applicationVersion: appPackage.__applicationVersion
   , mirroringAppId: argv.mirroringAppId
+
+    // eval source map needs special CSP
+  , contentSecurityPolicy: argv.mode === "production"
+        ? "default-src 'self'"
+        : "script-src 'self' 'unsafe-eval'; object-src 'self'"
 });
 
 // Add mode to config
 webpackConfig.mode = argv.mode;
+webpackConfig.devtool = argv.mode === "production"
+    ? "source-map"
+    : "eval";
 
 
 // Clean

ext/src/manifest.json

@@ -3,13 +3,12 @@
   , "description": "__MSG_extensionDescription__"
   , "version": "EXTENSION_VERSION"
 
-  , "applications": {
+  , "browser_specific_settings": {
         "gecko": {
             "id": "EXTENSION_ID"
           , "strict_min_version": "64.0"
         }
     }
-
   , "browser_action": {
         "default_popup": "popup/index.html"
     }
@@ -24,15 +23,13 @@
           , "run_at": "document_start"
         }
     ]
-
+  , "content_security_policy": "CONTENT_SECURITY_POLICY"
-  , "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
   , "default_locale": "en"
   , "manifest_version": 2
 
   , "options_ui": {
         "page": "options/index.html"
     }
-
   , "permissions": [
         "menus"
       , "nativeMessaging"
@@ -42,7 +39,6 @@
       , "webRequestBlocking"
       , "<all_urls>"
     ]
-
   , "web_accessible_resources": [
         "shim/bundle.js"
       , "vendor/webcomponents-lite.min.js"

ext/src/shim/cast/index.js

@@ -278,6 +278,7 @@ onMessage(message => {
                 state.sessionRequestInProgress = false;
                 sessionErrorCallback(new Error_(ErrorCode.CANCEL));
             }
+
             break;
         }
     }

ext/webpack.config.js

@@ -4,21 +4,18 @@ const path              = require("path");
 const webpack           = require("webpack");
 const CopyWebpackPlugin = require("copy-webpack-plugin");
 
-
-const includePath = path.resolve(__dirname, "src");
-
 module.exports = (env) => ({
     entry: {
-        "main"           : `${includePath}/main.js`
+        "main"           : `${env.includePath}/main.js`
-      , "popup/bundle"   : `${includePath}/popup/index.jsx`
+      , "popup/bundle"   : `${env.includePath}/popup/index.jsx`
-      , "options/bundle" : `${includePath}/options/index.jsx`
+      , "options/bundle" : `${env.includePath}/options/index.jsx`
-      , "shim/bundle"    : `${includePath}/shim/index.js`
+      , "shim/bundle"    : `${env.includePath}/shim/index.js`
-      , "content"        : `${includePath}/content.js`
+      , "content"        : `${env.includePath}/content.js`
-      , "contentSetup"   : `${includePath}/contentSetup.js`
+      , "contentSetup"   : `${env.includePath}/contentSetup.js`
-      , "mediaCast"      : `${includePath}/mediaCast.js`
+      , "mediaCast"      : `${env.includePath}/mediaCast.js`
-      , "mirroringCast"  : `${includePath}/mirroringCast.js`
+      , "mirroringCast"  : `${env.includePath}/mirroringCast.js`
-      , "messageRouter"  : `${includePath}/messageRouter.js`
+      , "messageRouter"  : `${env.includePath}/messageRouter.js`
-      , "compat/youtube" : `${includePath}/compat/youtube.js`
+      , "compat/youtube" : `${env.includePath}/compat/youtube.js`
     }
   , output: {
         filename: "[name].js"
@@ -36,8 +33,8 @@ module.exports = (env) => ({
 
         // Copy static assets
       , new CopyWebpackPlugin([
-          {
+            {
-                from: includePath
+                from: env.includePath
               , to: env.outputPath
               , ignore: [ "*.js", "*.jsx" ]
               , transform (content, path) {
@@ -49,7 +46,8 @@ module.exports = (env) => ({
                             .replace("EXTENSION_VERSION", env.extensionVersion)
                             .replace("MIRRORING_APP_ID", env.mirroringAppId)
                             .replace("APPLICATION_NAME", env.applicationName)
-                            .replace("APPLICATION_VERSION", env.applicationVersion));
+                            .replace("APPLICATION_VERSION", env.applicationVersion)
+                            .replace("CONTENT_SECURITY_POLICY", env.contentSecurityPolicy));
                     }
 
                     return content;
@@ -57,12 +55,11 @@ module.exports = (env) => ({
             }
           , {
                 // Copy vendor dir
-                from: path.join(includePath, "vendor")
+                from: path.join(env.includePath, "vendor")
               , to: path.join(env.outputPath, "vendor")
             }
         ])
     ]
-  , mode: "development"
   , module: {
         rules: [
             {
@@ -70,7 +67,7 @@ module.exports = (env) => ({
               , resolve: {
                     extensions: [ ".js", ".jsx" ]
                 }
-              , include: `${includePath}`
+              , include: `${env.includePath}`
               , use: {
                     loader: "babel-loader"
                   , options: {