Make it possible to run without using window.eval()

[Jermolene]

Content security policies are a relatively new way to increase the security of web applications by having the server request additional security restrictions to be placed on a site.

In particular, it is now generally best practice to run web applications with the "unsafe-eval" restriction, which prevents the use of window.eval(). That's a problem for TW5 because our built-in module system uses eval to execute modules.

An approach that should work in principle is to optionally:

• In a separate, preceding script tag, preload all the required modules using $tw.modules.define(moduleName,moduleType,exports), where "exports" is the object exported by the module
• Disable loading of modules from tiddlers
• We'd also need a slightly different build process to output the required modules in the required format

[pmario]

Isn't this a problem for every library that uses a "require.js" like module system?

[Jermolene]

Isn't this a problem for every library that uses a "require.js" like module system?

I don't think so: modern tools build everything into one blob of JS as a build step on the server.

[buggyj]

Does this mean putting all js tiddlers inside a js script tag instead of in the json script tag?

[Jermolene]

Does this mean putting all js tiddlers inside a js script tag instead of in the json script tag?

Yes just that. I'll edit the OP to clarify