- From: Adam Barth <w3c@adambarth.com>
- Date: Sat, 5 Jan 2013 13:26:42 -0800
- To: Ian Melven <imelven@mozilla.com>
- Cc: public-webappsec <public-webappsec@w3.org>
My understanding is that generateCRMFRequest isn't mentioned because it's a Mozilla-proprietary API. However, your point about the spec being overly explicit is a good one. Maybe we should add some text about the intent behind 'unsafe-eval' so it's easier for folks to decide how to treat future/proprietary APIs? We can also add some informative text about generateCRMFRequest if that would be useful to you. Adam On Fri, Dec 28, 2012 at 9:51 AM, Ian Melven <imelven@mozilla.com> wrote: > > Hi, > > recently Paul Theriault discovered that in Gecko, crypto.generateCRMFRequest bypasses CSP by > allowing script execution from a string when unsafe-eval isn't specified as part of > an applied CSP. > > this has been filed as http://bugzilla.mozilla.org/show_bug.cgi?id=824652 > > there was a suggestion in the bug to add this to the list of eval and friends > blocked by CSP in the spec - i think in general the spec avoids exhaustively listing > all the ways to do things such as eval, but am bringing this up here to see if others > think we should call out this case since it seems like a fairly > easy one to miss. > > thanks ! > ian > >
Received on Saturday, 5 January 2013 21:27:42 UTC