You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This only happens on a web-based VS Code build (running in the browser) under Content Security Policy. I can repro this in a Google-internal web IDE based on Code but this probably happens in VS Code web too.
When executing , (or a few related commands, linked here), a "no selections left" error is displayed instead of clearing secondary selections.
The underlying stack trace is hidden by catch statements but can be obtained through laborious use of Developer Tools. (Line numbers are off because code minifier and Google patches dance source code during importing, but some functions names are still readable.)
EvalError: Refused to evaluate a string as JavaScript because this document requires 'Trusted Type' assignment.
at new AsyncFunction (<anonymous>)
at uc (<snip>/dance.js#module:176:195)
at tc (<snip>/dance.js#module:174:607)
at R.switchRun (<snip>/dance.js#module:228:327)
at eval (<snip>/dance.js#module:382:144)
at Object.gb [as filterByIndex] (<snip>/dance.js#module:117:109)
at eval (<snip>/dance.js#module:381:494)
at eval (<snip>/dance.js#module:159:96)
at y.Context.runAsync (<snip>/dance.js#module:50:52)
at k (<snip>/dance.js#module:159:83)
at dc (<snip>/dance.js#module:159:272)
at $e (<snip>/dance.js#module:381:134)
at eval (<snip>/dance.js#module:450:27)
at y.Context.runAsync (<snip>/dance.js#module:50:52)
at a.dance.selections.filter [as handler] (<snip>/dance.js#module:450:3)
at eval (<snip>/dance.js#module:181:574)
at eval (<snip>/dance.js#module:423:117)
at y.Context.runAsync (<snip>/dance.js#module:50:132)
at T.CommandDescriptor.eval [as handler] (<snip>/dance.js#module:423:105)
at T.CommandDescriptor.invoke (<snip>/dance.js#module:250:292)
at eval (<snip>/dance.js#module:251:6)
at Extension.runPromiseSafely (<snip>/dance.js#module:522:543)
at T.CommandDescriptor.invokeSafely (<snip>/dance.js#module:250:510)
at eval (<snip>/dance.js#module:251:160)
<snip>
The new AsyncFunction constructor call can be found at
which gets blocked because it is executing a string as JavaScript (like eval), which is forbidden under most CSPs.
An alternative implementation not involving string expressions is probably required to fully address this. For example, manually looping through the selections instead of evaling i !== count. I bet other commands are affected too but I haven't gone through a full audit of expression strings in command bindings.
The text was updated successfully, but these errors were encountered:
This only happens on a web-based VS Code build (running in the browser) under Content Security Policy. I can repro this in a Google-internal web IDE based on Code but this probably happens in VS Code web too.
When executing
,(or a few related commands, linked here), a "no selections left" error is displayed instead of clearing secondary selections.The underlying stack trace is hidden by catch statements but can be obtained through laborious use of Developer Tools. (Line numbers are off because code minifier and Google patches dance source code during importing, but some functions names are still readable.)
The
new AsyncFunctionconstructor call can be found atdance/src/api/run.ts
Line 153 in 7bf1463
eval), which is forbidden under most CSPs.An alternative implementation not involving string expressions is probably required to fully address this. For example, manually looping through the selections instead of evaling
i !== count. I bet other commands are affected too but I haven't gone through a full audit of expression strings in command bindings.The text was updated successfully, but these errors were encountered: