W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: Feature-detecting a Content Security Policy

From: Jim Manico <jim.manico@owasp.org>
Date: Sat, 27 Sep 2014 08:48:51 -0700
Message-ID: <5426DC63.5070800@owasp.org>
To: Marijn Haverbeke <marijnh@gmail.com>, public-webappsec@w3.org
This is a really fair question. One of the only legit uses of the JS 
*eval* function is runtime loading of resources and similar runtime 
optimizations for performance enhancements for JS libraries. I'm really 
curious what the solution is here other than to just be ... slow and not 
use eval.

- Jim


On 9/26/14, 7:32 AM, Marijn Haverbeke wrote:
> The simple question: why was document.securityPolicy removed? I was
> not able to find the relevant discussion.
>
> Background: I maintain several JavaScript libraries that use run-time
> evaluation as an optimization strategy. Users (mostly building Chrome
> Web Apps) have started reporting problems with using these libraries
> when a CSP is active. It is usually possible to fall-back to a slower
> approach without evaluation, but it seems there is no way (short of
> triggering an actual violation) of detecting that such a policy is in
> place, which would be necessary to know when to fall back to the
> eval-less implementation.
>
> Best,
> Marijn Haverbeke
>
>
Received on Saturday, 27 September 2014 15:49:49 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC