W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: CSP unsafe-eval alternative for a 'trusted' or 'eval-src: self'?

From: Mike West <mkwst@google.com>
Date: Wed, 28 Jan 2015 10:45:03 +0100
Message-ID: <CAKXHy=du+c18bZ613xSRHi_oGVFJUhpwy3=4_WqwdHmxbZaALQ@mail.gmail.com>
To: david kaye <dfkaye@yahoo.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Jan 27, 2015 at 11:04 PM, david kaye <dfkaye@yahoo.com> wrote:

> Would it be possible to define the eval restriction a bit differently, for
> instance with 'eval-src: self' to allow Function() calls *only* from
> trusted sources?
>

Practically, V8 only offers a global switch to turn code generation from
strings on or off. Gecko might have an easier time with this proposal,
perhaps?

Theoretically, the notion of a "trusted source" becomes hazy quite quickly.
As a simple example, consider the following two files:

    // file1.js
    function doEval(str) {
      eval(str);
    }

    // file2.js
    doEval('alert("Hello, world!");');

If you include both files, which one do you gate on `eval-src`?

-mike
Received on Wednesday, 28 January 2015 09:45:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:45 UTC