W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2013

Re: CSP, unsafe-eval and crypto.generateCRMFRequest

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 5 Jan 2013 13:26:42 -0800
Message-ID: <CAJE5ia-OXmnmFygYN19ctN_Rsy+g52d8aWC1YG6ePM=kzSYJVQ@mail.gmail.com>
To: Ian Melven <imelven@mozilla.com>
Cc: public-webappsec <public-webappsec@w3.org>
My understanding is that generateCRMFRequest isn't mentioned because
it's a Mozilla-proprietary API.  However, your point about the spec
being overly explicit is a good one.  Maybe we should add some text
about the intent behind 'unsafe-eval' so it's easier for folks to
decide how to treat future/proprietary APIs?  We can also add some
informative text about generateCRMFRequest if that would be useful to
you.

Adam


On Fri, Dec 28, 2012 at 9:51 AM, Ian Melven <imelven@mozilla.com> wrote:
>
> Hi,
>
> recently Paul Theriault discovered that in Gecko, crypto.generateCRMFRequest bypasses CSP by
> allowing script execution from a string when unsafe-eval isn't specified as part of
> an applied CSP.
>
> this has been filed as http://bugzilla.mozilla.org/show_bug.cgi?id=824652
>
> there was a suggestion in the bug to add this to the list of eval and friends
> blocked by CSP in the spec - i think in general the spec avoids exhaustively listing
> all the ways to do things such as eval, but am bringing this up here to see if others
> think we should call out this case since it seems like a fairly
> easy one to miss.
>
> thanks !
> ian
>
>
Received on Saturday, 5 January 2013 21:27:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 5 January 2013 21:27:43 GMT