W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: Secure dynamic JS compilation under CSP

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 19 Jul 2012 10:54:05 -0700
Message-ID: <CAJE5ia-KGg-dCUnXdEsMHMrjKMLaCoL4FMyU=GoitNdVmLV8oQ@mail.gmail.com>
To: John J Barton <johnjbarton@johnjbarton.com>
Cc: public-webappsec@w3.org
If you want to use eval, you can enable it by listing 'unsafe-eval'
(with the quotes) in the script-src part of your CSP policy:

default-src 'self'; script-src 'self' 'unsafe-eval'

Adam


On Thu, Jul 19, 2012 at 10:45 AM, John J Barton
<johnjbarton@johnjbarton.com> wrote:
> Hi. I was looking into converting my application to use CSP when I learned
> that neither eval nor new Function() are allowed. I have a large application
> that uses these features to compile JS at runtime. I am wondering what
> alternatives are available.
>
> Thanks,
> jjb
Received on Thursday, 19 July 2012 17:55:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 19 July 2012 17:55:07 GMT