unsafe-eval in generated javascript code

[zlk89]

What version of protobuf and what language are you using?
Version: v3.6.1
Language: Javascript

What operating system (Linux, Windows, ...) and version?
Mac OS 10.12.6

What runtime / compiler are you using (e.g., python version or gcc version)
Use the v3.6.1 compiled binary file protoc to compile

What did you do?
Steps to reproduce the behavior:

1. Compile proto file into js using command like this: protoc --js_out=import_style=commonjs,binary:output_dir schema.proto
2. You will find a line in generated javascript code:
   var global = Function('return this')();
   which is an unsafe eval that triggers error on user browser, if csp header doesn't whitelist unsafe-eval

What did you expect to see
Generated code shouldn't use any unsafe eval.
It can be replaced by something like
var global = (typeof self == "undefined" ? typeof global == "undefined"? this : global : self);

What did you see instead?
Seeing an unnecessary unsafe eval.

Make sure you include information that can help us debug (full error message, exception listing, stack trace, logs).

Anything else we should know about your project / environment

[felixfbecker]

This prevents using Protobuf and in turn https://github.com/lightstep/lightstep-tracer-javascript from being used in Chrome/Firefox extensions which disallow eval().

[rhanesoghlyan]

I have the same problem. Any news ?

[dlj-NaN]

I'm going to call this issue a duplicate of protocolbuffers/protobuf-javascript#25. Even though this issue is older, I think the newer issue has a bit more background to start collecting further discussion.

Thanks for filing this issue! And please do feel free to chime in on protocolbuffers/protobuf-javascript#25 if you would like.