Google Visualization really uses eval() internally
The Google Visualization API currently uses:
1. eval on corechart.I.js (3 times)
2. eval on jsapi
Taken from here , a bug report regarding compatibility with GV and Chrome App Manifest v2, about 1 month. Google Visualization itself does not comply with the rules of the manifest V2 :
Is your code or library used with eval (), new Function (), innerHTML, setTimeout (), or otherwise passing JS code strings that are dynamically evaluated?
- Use JSON.parse () if you are parsing JSON code into an object.
- Use a CSP-friendly library like AngularJS.
- Create a sandbox entry in the manifest and run the vulnerable code in the sandbox using postMessage () to link to the sandbox page
So google themselves are aware of the problem.
My impression is that GV internally uses eval(jsonString) instead of JSON.parse() due to browser compatibility. JSON.parse() not available until IE8, previously FF 3.1, etc. (see compatibility list ), that is why you get an invalid JSON error when blocking eval() out.
Since this also affects how GV complies with Manifest rules, I think the problem will disappear very soon.