Re: CSP unsafe-eval alternative for a 'trusted' or 'eval-src: self'?

david kaye <dfkaye@yahoo.com> writes:

> Deian,
> Hadn't thought of that - good one.
> So, given:
> //untrusted.evil/file1.jsfunction f(str) { 
>   eval('alert("w00t")')}
> //trusted.com/file1.js 
> f('3+4');
> I would expect an error as f is defined in the untrusted file.  
>
> If the engines don't mark or source-map definitions by path, then it's not something CSP can specify/enforce by itself.
> Should I take this up with es-discuss and circle back?

I think that there is a patch for Chromium that associates labels
(origins) with strings, but I don't think that this has landed (nor if
it ever will). This may help going beyond the on/off model, but I think
that coming up with semantics that are not ad-hoc is hard.  (Though
interesting to think about further.) Maybe someone on es-discuss had
thought about this more than me though.

Best,
Deian

Received on Friday, 30 January 2015 01:30:54 UTC