- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Mon, 05 Mar 2012 13:23:10 -0800
- To: David Bruant <bruant.d@gmail.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 3/5/12 11:58 AM, David Bruant wrote: > Do you have an example of an XSS that can be avoided by the specific > prevention of eval? I'm obviously talking about a case where eval is > legitimate. > People who misuse eval will at best not be aware of CSP and at worst say > "it broke my code" and disable it right away when trying it. The web has built up a history of using eval() in sloppy and unnecessary ways. Eval can be used carefully, but the CSP default encourages thought about safer alternatives to many current uses. Let's say you're building a complex/commercial site. Even if -you- use eval safely in your own code, are you confident enough that all your 3rd-party script providers are as careful such that you're willing to roll the dice by enabling eval support? Maybe you are, and in that case enable eval in good health. >> CSP's baby steps toward forcing >> authors to separate script and content are only a start. > Interesting. What are the next steps? Can you tell more? Or where can I > read more about the long term vision of the web platform security? Inventing next steps is part of this working group and other security-focused ones at W3 and IETF. -Dan Veditz
Received on Monday, 5 March 2012 21:23:54 UTC