Dynamic code execution

Chrome extension eval() and dynamic code rejection fix

Find eval, new Function, and string-based timers that can trigger Chrome extension CSP and review problems.

Run local ZIP scan

Guide

What to check

Why eval is risky

String-code execution makes extension behavior harder to review and often conflicts with extension page CSP restrictions. It can also hide remote-code-like behavior from a static review.

Patterns to replace

Replace eval, Function constructors, and string-based setTimeout or setInterval calls with normal functions, modules, command maps, JSON parsing, or structured data.

How this scanner helps

The report shows the file, line, snippet, reason, and recommendation so developers can quickly remove dynamic code execution patterns from the submitted ZIP.

Checklist

Action checklist

  • Search for eval calls in background, popup, options, and content scripts.
  • Replace new Function with explicit functions or a command map.
  • Replace string-based setTimeout and setInterval with function callbacks.
  • Check bundled vendor files for dynamic-code helpers.
  • Rebuild and scan the production ZIP again.

Examples

Common cases this page helps with

Command string passed to eval

Replace eval(command) with a map such as actions[commandName](payload), where commandName is validated and action functions are bundled.

new Function template evaluator

Replace runtime function construction with precompiled templates, safe expression parsing, or a limited set of local handlers.

String timer callback

Replace setTimeout("runTask()", 1000) with setTimeout(() => runTask(), 1000).

FAQ

Frequently asked questions

Does every eval occurrence cause rejection?

The scanner treats eval as high risk because it is commonly incompatible with extension CSP and review expectations. Review and remove it when possible.

Can minified vendor code contain dynamic execution?

Yes. Scan the final ZIP because bundled dependencies can introduce eval-like patterns that are not obvious in your own source files.

What is the safest replacement?

Use explicit local functions, static imports, command maps, and structured data. Avoid constructing executable code from strings.

Related guides

Continue review

Run the local ZIP scanner Fix remote hosted code in Manifest V3 Manifest V3 pre-submission checklist Run local ZIP scan