- From: John J Barton <johnjbarton@johnjbarton.com>
- Date: Thu, 19 Jul 2012 11:17:58 -0700
- To: Adam Barth <w3c@adambarth.com>
- Cc: public-webappsec@w3.org
- Message-ID: <CAFAtnWx5F+5nE_oYqkeiXtEOZrnKiFihvN5D0Pu-XiVTu29AKw@mail.gmail.com>
On Thu, Jul 19, 2012 at 10:54 AM, Adam Barth <w3c@adambarth.com> wrote: > If you want to use eval, you can enable it by listing 'unsafe-eval' > (with the quotes) in the script-src part of your CSP policy: > > default-src 'self'; script-src 'self' 'unsafe-eval' > Thanks for the suggestion. However this option does not seem to be allowed for Chrome extensions: http://code.google.com/chrome/extensions/contentSecurityPolicy.html#H2-3 Any other suggestions? By the way I object to the name of this option. "unsafe-eval" implies that eval is unsafe or that the CSP user intends to use eval in an unsafe manner. Neither of these is true for any practical users of CSP. The problem is not eval(), it is inadequate vetting of content obtained over the network. jjb > > Adam > > > On Thu, Jul 19, 2012 at 10:45 AM, John J Barton > <johnjbarton@johnjbarton.com> wrote: > > Hi. I was looking into converting my application to use CSP when I > learned > > that neither eval nor new Function() are allowed. I have a large > application > > that uses these features to compile JS at runtime. I am wondering what > > alternatives are available. > > > > Thanks, > > jjb >
Received on Thursday, 19 July 2012 18:18:26 UTC