TiddlyWiki5
TiddlyWiki5 copied to clipboard
Make it possible to run without using window.eval()
Content security policies are a relatively new way to increase the security of web applications by having the server request additional security restrictions to be placed on a site.
In particular, it is now generally best practice to run web applications with the "unsafe-eval" restriction, which prevents the use of window.eval(). That's a problem for TW5 because our built-in module system uses eval to execute modules.
An approach that should work in principle is to optionally:
- In a separate, preceding script tag, preload all the required modules using
$tw.modules.define(moduleName,moduleType,exports)
, where "exports" is the object exported by the module - Disable loading of modules from tiddlers
- We'd also need a slightly different build process to output the required modules in the required format
Isn't this a problem for every library that uses a "require.js" like module system?
Isn't this a problem for every library that uses a "require.js" like module system?
I don't think so: modern tools build everything into one blob of JS as a build step on the server.
Does this mean putting all js tiddlers inside a js script tag instead of in the json script tag?
Does this mean putting all js tiddlers inside a js script tag instead of in the json script tag?
Yes just that. I'll edit the OP to clarify