W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: Feature-detecting a Content Security Policy

From: Marijn Haverbeke <marijnh@gmail.com>
Date: Sun, 28 Sep 2014 22:38:52 +0200
Message-ID: <CAJnHWXuiKOyR=40VQ+2w8noePBWYF75SVG+s9ZOjQjprXhg-vg@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Jim Manico <jim.manico@owasp.org>, public-webappsec@w3.org
> Does a try catch around eval work?

It does, in principle, but this is what I meant by "short of
triggering an actual violation" in my original mail. Bumping up
against the security policy causes a violation to be logged to
Chrome's JS console, even when caught (which might not exactly inspire
trust in users who glance at it), and, if I understand the CSP
standard correctly, sites can configure such violations to be
reported, which would cause a lot of false positives to come in. As
such, I'd like to avoid this approach.

Best,
Marijn
Received on Sunday, 28 September 2014 20:39:19 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC