W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: Secure dynamic JS compilation under CSP

From: John J Barton <johnjbarton@johnjbarton.com>
Date: Thu, 19 Jul 2012 11:17:58 -0700
Message-ID: <CAFAtnWx5F+5nE_oYqkeiXtEOZrnKiFihvN5D0Pu-XiVTu29AKw@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: public-webappsec@w3.org
On Thu, Jul 19, 2012 at 10:54 AM, Adam Barth <w3c@adambarth.com> wrote:

> If you want to use eval, you can enable it by listing 'unsafe-eval'
> (with the quotes) in the script-src part of your CSP policy:
>
> default-src 'self'; script-src 'self' 'unsafe-eval'
>

Thanks for the suggestion. However this option does not seem to be allowed
for Chrome extensions:
http://code.google.com/chrome/extensions/contentSecurityPolicy.html#H2-3

Any other suggestions?

By the way I object to the name of this option. "unsafe-eval" implies that
eval is unsafe or that the CSP user intends to use eval in an unsafe
manner. Neither of these is true for any practical users of CSP.  The
problem is not eval(), it is inadequate vetting of content obtained over
the network.

jjb


>
> Adam
>
>
> On Thu, Jul 19, 2012 at 10:45 AM, John J Barton
> <johnjbarton@johnjbarton.com> wrote:
> > Hi. I was looking into converting my application to use CSP when I
> learned
> > that neither eval nor new Function() are allowed. I have a large
> application
> > that uses these features to compile JS at runtime. I am wondering what
> > alternatives are available.
> >
> > Thanks,
> > jjb
>
Received on Thursday, 19 July 2012 18:18:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 19 July 2012 18:18:26 GMT