CSP unsafe-eval alternative for a 'trusted' or 'eval-src: self'? from david kaye on 2015-01-27 (public-webappsec@w3.org from January 2015)

From: david kaye <dfkaye@yahoo.com>
Date: Tue, 27 Jan 2015 22:04:50 +0000 (UTC)
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <1884723246.1449400.1422396290534.JavaMail.yahoo@mail.yahoo.com>

As I understand it, the unsafe-eval permission is an all-or-none proposition:
+ if not permitted, then no script containing eval & cousins is allowed to execute.+ if permitted, then any script containing eval & cousins (at least with respect to permitted sources) is allowed to execute.
Many js modules these days use Function() to create code dynamically (template engines, e.g.) or to defer evaluation of code bodies until requested (for a nice performance win).
 Would it be possible to define the eval restriction a bit differently, for instance with 'eval-src: self' to allow Function() calls *only* from trusted sources?
I know it's a bit late in the game and I don't mean to cause headaches, but having scrolled the ML I have yet to see this suggested (at least in this way).
Thanks for your attention.

Received on Wednesday, 28 January 2015 08:10:13 UTC