Content Security Policy -unsafe eval

pchawla

Registered Developer

Join Date: Jul 2020

Posts: 18
#1

Content Security Policy -unsafe eval

23 Jul 2020, 21:32

HI,
We have a requirement where we want to remove "unsafe-eval" from CSP header for security concerns. On removing unsafe-eval from "script-src" directive in CSP header, isomorphic code breaks in ISC_Core.js because we are using new Function() in that file. Do we have support in isomorphic to achieve the same?
Tags: None
Isomorphic

Administrator

Join Date: May 2006

Posts: 54573
#2

24 Jul 2020, 08:30

This is not a supported setting, as it would cripple the software and make many key features impossible.

It is also a useless setting, as there are many other ways of doing an unsafe eval() without calling the eval function per se.

If you believe the framework contains any unsafe evals, please submit a test case showing how they can be exploited.
Comment

Previous template Next

Announcement