Re: CSP, unsafe-eval and crypto.generateCRMFRequest

My understanding is that generateCRMFRequest isn't mentioned because
it's a Mozilla-proprietary API.  However, your point about the spec
being overly explicit is a good one.  Maybe we should add some text
about the intent behind 'unsafe-eval' so it's easier for folks to
decide how to treat future/proprietary APIs?  We can also add some
informative text about generateCRMFRequest if that would be useful to


On Fri, Dec 28, 2012 at 9:51 AM, Ian Melven <> wrote:
> Hi,
> recently Paul Theriault discovered that in Gecko, crypto.generateCRMFRequest bypasses CSP by
> allowing script execution from a string when unsafe-eval isn't specified as part of
> an applied CSP.
> this has been filed as
> there was a suggestion in the bug to add this to the list of eval and friends
> blocked by CSP in the spec - i think in general the spec avoids exhaustively listing
> all the ways to do things such as eval, but am bringing this up here to see if others
> think we should call out this case since it seems like a fairly
> easy one to miss.
> thanks !
> ian

Received on Saturday, 5 January 2013 21:27:42 UTC