W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: CSP unsafe-eval alternative for a 'trusted' or 'eval-src: self'?

From: Deian Stefan <deian@cs.stanford.edu>
Date: Thu, 29 Jan 2015 17:30:28 -0800
To: david kaye <dfkaye@yahoo.com>, Mike West <mkwst@google.com>
Cc: "public-webappsec\@w3.org" <public-webappsec@w3.org>
Message-ID: <87a9119hsb.fsf@cs.stanford.edu>
david kaye <dfkaye@yahoo.com> writes:

> Deian,
> Hadn't thought of that - good one.
> So, given:
> //untrusted.evil/file1.jsfunction f(str) { 
>   eval('alert("w00t")')}
> //trusted.com/file1.js 
> f('3+4');
> I would expect an error as f is defined in the untrusted file.  
>
> If the engines don't mark or source-map definitions by path, then it's not something CSP can specify/enforce by itself.
> Should I take this up with es-discuss and circle back?

I think that there is a patch for Chromium that associates labels
(origins) with strings, but I don't think that this has landed (nor if
it ever will). This may help going beyond the on/off model, but I think
that coming up with semantics that are not ad-hoc is hard.  (Though
interesting to think about further.) Maybe someone on es-discuss had
thought about this more than me though.

Best,
Deian
Received on Friday, 30 January 2015 01:30:54 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC