I'd also consider acorn.js as an alternative, potentially slightly faster, parser to Esprima.

I played with shimming/modifying exp-parser today but couldn't get far. Esprima/Acorn are solid for parsing javascript syntax into an object or even instrumenting it as a string, but doesn't get us much closer to the goal of actually executing it without a breaking a strict "unsafe-eval" CSP.

Maybe I'm missing something -- any ideas?

I haven't got time to dig into this yet, but take a look at https://github.com/substack/static-eval and https://github.com/polymer/polymer-expressions

Definitely useful; thanks for the references.

For what it's worth, I was able to get it working in a strict CSP environment using a "browserified" version of the "notevil" package.

I don't have the time right now to test it thoroughly and it could be heavily optimized, but it get's the job done for anyone looking for a quick and dirty solution. It may be a good starting point for a more complete implementation.

Commit: cecchi@d1caa52

0.11 CSP compliant build is now available in the csp branch: https://github.com/yyx990803/vue/tree/csp