W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2012

CSP, unsafe-eval and crypto.generateCRMFRequest

From: Ian Melven <imelven@mozilla.com>
Date: Fri, 28 Dec 2012 09:51:49 -0800 (PST)
To: public-webappsec <public-webappsec@w3.org>
Message-ID: <334093049.3296754.1356717109672.JavaMail.root@mozilla.com>

Hi,

recently Paul Theriault discovered that in Gecko, crypto.generateCRMFRequest bypasses CSP by
allowing script execution from a string when unsafe-eval isn't specified as part of
an applied CSP. 

this has been filed as http://bugzilla.mozilla.org/show_bug.cgi?id=824652

there was a suggestion in the bug to add this to the list of eval and friends
blocked by CSP in the spec - i think in general the spec avoids exhaustively listing
all the ways to do things such as eval, but am bringing this up here to see if others
think we should call out this case since it seems like a fairly
easy one to miss.

thanks !
ian
Received on Friday, 28 December 2012 17:52:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 December 2012 17:52:21 GMT