W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: Secure dynamic JS compilation under CSP

From: Eric Chen <eric.chen@sv.cmu.edu>
Date: Thu, 19 Jul 2012 10:54:43 -0700
Message-ID: <CAF8haayaeKyAsfYW5Xi-3-Fs3J9E2_dKEgX1VKZ+8kA=N8vSQg@mail.gmail.com>
To: John J Barton <johnjbarton@johnjbarton.com>
Cc: public-webappsec@w3.org
Hi John:

On Thu, Jul 19, 2012 at 10:45 AM, John J Barton <johnjbarton@johnjbarton.com
> wrote:

> Hi. I was looking into converting my application to use CSP when I learned
> that neither eval nor new Function() are allowed. I have a large
> application that uses these features to compile JS at runtime. I am
> wondering what alternatives are available.
>

You can use 'unsafe-eval' to allow eval


-- 
-Eric
Received on Thursday, 19 July 2012 17:55:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 19 July 2012 17:55:10 GMT