- From: Hill, Brad <bhill@paypal-inc.com>
- Date: Fri, 28 Dec 2012 19:19:33 +0000
- To: Ian Melven <imelven@mozilla.com>, public-webappsec <public-webappsec@w3.org>
Certainly seems like it should go in the test suite. Perhaps we ought to have a wiki page providing some test-case narrative and history, including this list of non-obvious eval equivalents? > -----Original Message----- > From: Ian Melven [mailto:imelven@mozilla.com] > Sent: Friday, December 28, 2012 9:52 AM > To: public-webappsec > Subject: CSP, unsafe-eval and crypto.generateCRMFRequest > > > Hi, > > recently Paul Theriault discovered that in Gecko, > crypto.generateCRMFRequest bypasses CSP by allowing script execution > from a string when unsafe-eval isn't specified as part of an applied CSP. > > this has been filed as http://bugzilla.mozilla.org/show_bug.cgi?id=824652 > > there was a suggestion in the bug to add this to the list of eval and friends > blocked by CSP in the spec - i think in general the spec avoids exhaustively > listing all the ways to do things such as eval, but am bringing this up here to > see if others think we should call out this case since it seems like a fairly easy > one to miss. > > thanks ! > ian >
Received on Friday, 28 December 2012 19:21:35 UTC