Chrome packaged apps don’t allow using eval or alternative expressions like new Function() to evaluate arbitrary JavaScript code at runtime. Chrome allows adding an unsafe-eval content security policy to its extensions to enable this, but for packaged apps, that is not an option. If you really need a way to bypass this security policy in apps, there is one solution though. You would need to save the JavaScript code as a file on the local filesystem using HTML5 FileSystem API. You can then include the script in your page to execute the JavaScript.

First step is to request the filesystem:

        navigator.webkitPersistentStorage.requestQuota(FILESYSTEM_RESOURCES_QUOTA_MB * 1024 * 1024, function (grantedBytes) {
    console.log('Granted ' + grantedBytes + ' bytes for filesystem.');
    window.webkitRequestFileSystem(window.PERSISTENT, grantedBytes, onInitFs, errorHandler);
}, errorHandler);

function onInitFs(fs) {
	// File system initialized

After initializing the file system, we can create a temporary app on the filesystem and the load the script:

fs.root.getFile('my-script.js', {create: true}, function(fileEntry) {
    // Create a FileWriter object for our FileEntry (log.txt).
    fileEntry.createWriter(function(fileWriter) {

        fileWriter.onwriteend = function(e) {
            console.log('Write completed.');

            // Execute the script 

        fileWriter.onerror = function(e) {
            console.log('Write failed: ' + e.toString());

        // Create a new Blob and write it to my-script.js.
        var blob = new Blob([scriptText], {type: 'text/plain'});
    }, errorHandler);
}, errorHandler);