W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

CSP unsafe-eval alternative for a 'trusted' or 'eval-src: self'?

From: david kaye <dfkaye@yahoo.com>
Date: Tue, 27 Jan 2015 22:04:50 +0000 (UTC)
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <1884723246.1449400.1422396290534.JavaMail.yahoo@mail.yahoo.com>
As I understand it, the unsafe-eval permission is an all-or-none proposition:
+ if not permitted, then no script containing eval & cousins is allowed to execute.+ if permitted, then any script containing eval & cousins (at least with respect to permitted sources) is allowed to execute.
Many js modules these days use Function() to create code dynamically (template engines, e.g.) or to defer evaluation of code bodies until requested (for a nice performance win).
 Would it be possible to define the eval restriction a bit differently, for instance with 'eval-src: self' to allow Function() calls *only* from trusted sources?
I know it's a bit late in the game and I don't mean to cause headaches, but having scrolled the ML I have yet to see this suggested (at least in this way).
Thanks for your attention.
Received on Wednesday, 28 January 2015 08:10:13 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC