- From: Marijn Haverbeke <marijnh@gmail.com>
- Date: Sun, 28 Sep 2014 22:38:52 +0200
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: Jim Manico <jim.manico@owasp.org>, public-webappsec@w3.org
> Does a try catch around eval work? It does, in principle, but this is what I meant by "short of triggering an actual violation" in my original mail. Bumping up against the security policy causes a violation to be logged to Chrome's JS console, even when caught (which might not exactly inspire trust in users who glance at it), and, if I understand the CSP standard correctly, sites can configure such violations to be reported, which would cause a lot of false positives to come in. As such, I'd like to avoid this approach. Best, Marijn
Received on Sunday, 28 September 2014 20:39:19 UTC