Re: Feature-detecting a Content Security Policy from Devdatta Akhawe on 2014-09-27 (public-webappsec@w3.org from September 2014)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Sat, 27 Sep 2014 10:39:06 -0700
To: Jim Manico <jim.manico@owasp.org>
Cc: Marijn Haverbeke <marijnh@gmail.com>, public-webappsec@w3.org
Message-ID: <CAPfop_206NOvYeRbHHnwHufdNhJPx41zgbJ_aeAmfrrRhZ6RLQ@mail.gmail.com>

Does a try catch around eval work?
 On Sep 27, 2014 8:51 AM, "Jim Manico" <jim.manico@owasp.org> wrote:

> This is a really fair question. One of the only legit uses of the JS
> *eval* function is runtime loading of resources and similar runtime
> optimizations for performance enhancements for JS libraries. I'm really
> curious what the solution is here other than to just be ... slow and not
> use eval.
>
> - Jim
>
>
> On 9/26/14, 7:32 AM, Marijn Haverbeke wrote:
>
>> The simple question: why was document.securityPolicy removed? I was
>> not able to find the relevant discussion.
>>
>> Background: I maintain several JavaScript libraries that use run-time
>> evaluation as an optimization strategy. Users (mostly building Chrome
>> Web Apps) have started reporting problems with using these libraries
>> when a CSP is active. It is usually possible to fall-back to a slower
>> approach without evaluation, but it seems there is no way (short of
>> triggering an actual violation) of detecting that such a policy is in
>> place, which would be necessary to know when to fall back to the
>> eval-less implementation.
>>
>> Best,
>> Marijn Haverbeke
>>
>>
>>
>
>
>

Received on Saturday, 27 September 2014 17:39:33 UTC