- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 19 Jul 2012 10:54:05 -0700
- To: John J Barton <johnjbarton@johnjbarton.com>
- Cc: public-webappsec@w3.org
If you want to use eval, you can enable it by listing 'unsafe-eval' (with the quotes) in the script-src part of your CSP policy: default-src 'self'; script-src 'self' 'unsafe-eval' Adam On Thu, Jul 19, 2012 at 10:45 AM, John J Barton <johnjbarton@johnjbarton.com> wrote: > Hi. I was looking into converting my application to use CSP when I learned > that neither eval nor new Function() are allowed. I have a large application > that uses these features to compile JS at runtime. I am wondering what > alternatives are available. > > Thanks, > jjb
Received on Thursday, 19 July 2012 17:55:06 UTC