Re: Secure dynamic JS compilation under CSP

On Thu, Jul 19, 2012 at 10:54 AM, Adam Barth <w3c@adambarth.com> wrote:

> If you want to use eval, you can enable it by listing 'unsafe-eval'
> (with the quotes) in the script-src part of your CSP policy:
>
> default-src 'self'; script-src 'self' 'unsafe-eval'
>

Thanks for the suggestion. However this option does not seem to be allowed
for Chrome extensions:
http://code.google.com/chrome/extensions/contentSecurityPolicy.html#H2-3

Any other suggestions?

By the way I object to the name of this option. "unsafe-eval" implies that
eval is unsafe or that the CSP user intends to use eval in an unsafe
manner. Neither of these is true for any practical users of CSP.  The
problem is not eval(), it is inadequate vetting of content obtained over
the network.

jjb


>
> Adam
>
>
> On Thu, Jul 19, 2012 at 10:45 AM, John J Barton
> <johnjbarton@johnjbarton.com> wrote:
> > Hi. I was looking into converting my application to use CSP when I
> learned
> > that neither eval nor new Function() are allowed. I have a large
> application
> > that uses these features to compile JS at runtime. I am wondering what
> > alternatives are available.
> >
> > Thanks,
> > jjb
>

Received on Thursday, 19 July 2012 18:18:26 UTC