Sanitizing out from the CSP policies in production

adambullmer · adambullmer · commit 7838731ab06b · 2019-08-25T01:09:52.000-05:00
Resolves #54
diff --git a/index.js b/index.js
@@ -78,15 +78,17 @@ module.exports = (api, options) => {
               jsonContent.description = packageJson.description
             }
 
+            jsonContent.content_security_policy =
+              jsonContent.content_security_policy || "script-src 'self' 'unsafe-eval'; object-src 'self'"
+
             // If building for production (going to web store) abort early.
             // The browser extension store will hash your signing key and apply CSP policies.
             if (isProduction) {
+              jsonContent.content_security_policy = jsonContent.content_security_policy.replace(/'unsafe-eval'/, '')
+
               return getManifestJsonString(pluginOptions, jsonContent)
             }
 
-            jsonContent.content_security_policy =
-              jsonContent.content_security_policy || "script-src 'self' 'unsafe-eval'; object-src 'self'"
-
             if (hasKeyFile) {
               try {
                 jsonContent.key = await hashKey(keyFile)
