EvalError: call to Function() blocked by CSP when adding a CK-Editor-5 via firefox-extension

[dhakehurst]

📝 Provide detailed reproduction steps (if any)

1. create a firefox extension
2. get the extension to executeScript that adds a ckeditor5 editor
3. 'rollup' the executionScript

e.g.
background.mjs (from the firefox extension)

function attach() {
    (async () => {
        try {
            const src = browser.runtime.getURL("rolled-up-script.mjs");
            import(src).then( (m) => {
                m.attach(); // the attach function exported by rolled-up-script.mjs should import ckeditor5 and create an editor.
            });
        } catch (e) {
            console.error(e)
        }
    })();
}

browser.action.onClicked.addListener(async (tab) => {
        await browser.scripting.executeScript({
            target : {tabId : tab.id},
            func: attach
        }).then(() => console.log("Script injected"));
});

✔️ Expected result

should work

❌ Actual result

EvalError: call to Function() blocked by CSP

❓ Possible solution

Don't use lodash ! ?

📃 Other details

From what I can discover, there is code added to the executed script when importing ckeditor5
var root$2 = freeGlobal || freeSelf || Function('return this')();
which seems to come from lodash-es

I can't see how to exclude this from the ckeditor 5 import,
I would have expected it to get 'tree-shaken' out, as as far as I know its not being used, but maybe it is internally to ckeditor5 somewhere.

One is not allows to set the CSP script-src 'self' 'unsafe-eval' in a firefox extension.

any ideas welcomed

---

If you'd like to see this fixed sooner, add a 👍 reaction to this post.

[filipsobol]

Currently, we have no plans for removing or replacing lodash, but I recently looked into whether it's possible and how much work it would require #16395 (comment).