W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2012

RE: CSP, unsafe-eval and crypto.generateCRMFRequest

From: Hill, Brad <bhill@paypal-inc.com>
Date: Fri, 28 Dec 2012 19:19:33 +0000
To: Ian Melven <imelven@mozilla.com>, public-webappsec <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E30D3FB@DEN-EXDDA-S12.corp.ebay.com>
Certainly seems like it should go in the test suite.  Perhaps we ought to have a wiki page providing some test-case narrative and history, including this list of non-obvious eval equivalents?

> -----Original Message-----
> From: Ian Melven [mailto:imelven@mozilla.com]
> Sent: Friday, December 28, 2012 9:52 AM
> To: public-webappsec
> Subject: CSP, unsafe-eval and crypto.generateCRMFRequest
> 
> 
> Hi,
> 
> recently Paul Theriault discovered that in Gecko,
> crypto.generateCRMFRequest bypasses CSP by allowing script execution
> from a string when unsafe-eval isn't specified as part of an applied CSP.
> 
> this has been filed as http://bugzilla.mozilla.org/show_bug.cgi?id=824652

> 
> there was a suggestion in the bug to add this to the list of eval and friends
> blocked by CSP in the spec - i think in general the spec avoids exhaustively
> listing all the ways to do things such as eval, but am bringing this up here to
> see if others think we should call out this case since it seems like a fairly easy
> one to miss.
> 
> thanks !
> ian
> 

Received on Friday, 28 December 2012 19:21:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 December 2012 19:21:35 GMT