Re: Secure dynamic JS compilation under CSP

If you want to use eval, you can enable it by listing 'unsafe-eval'
(with the quotes) in the script-src part of your CSP policy:

default-src 'self'; script-src 'self' 'unsafe-eval'


On Thu, Jul 19, 2012 at 10:45 AM, John J Barton
<> wrote:
> Hi. I was looking into converting my application to use CSP when I learned
> that neither eval nor new Function() are allowed. I have a large application
> that uses these features to compile JS at runtime. I am wondering what
> alternatives are available.
> Thanks,
> jjb

Received on Thursday, 19 July 2012 17:55:06 UTC