W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: CSP reports on eval() and inline

From: Neil Matatall <neilm@twitter.com>
Date: Thu, 4 Sep 2014 10:02:04 -0700
Message-ID: <CAOFLtbgbOvM+CD4n38tEcuB-6KWbQ7A84kwaTonYA4RKUHGrhA@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal.com>
Cc: Mike West <mkwst@google.com>, Pawel Krawczyk <pawel.krawczyk@hush.com>, Dan Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Firefox's script sample says: "call to eval() or related function
blocked by CSP" and that's pretty useful.

Also, if this is plugin noise the line number / column number may be
skewed if DOM elements are injected.

On Thu, Sep 4, 2014 at 9:58 AM, Neil Matatall <neilm@twitter.com> wrote:
> There's already plenty of non-URIs in that value:
> null
> about
> data:text/javascript;base64,...
> asset
> weixin
> android-webview
> pixivnanikahelper
> Or at least URIs that the standard java URI cannot parse. As a likely
> unauthenticated endpoint, validation is required either way.
Received on Thursday, 4 September 2014 17:02:37 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:40 UTC