发表新帖
发表新帖

Content Security Policy (CSP) - safe usage of unsafe-eval?

前端 未结
关注
2 2004
小蘑菇
小蘑菇 2021-02-13 09:30

We use the following CSP header: 

default-src \'self\' *.ourdomain.com; script-src \'self\' *.ourdomain.com \'sha256-[...]\' \'unsafe-eval\'; 
connect-src \'self
2条回答
  • 予麋鹿
    予麋鹿 (楼主)
    2021-02-13 09:51

    Because eval is literally unsafe. Eval in every language means "take this string and execute it code." Sure, you may be using eval in a semi-safe way, but as long as you allow it at all, you are saying "anyone is allowed to execute arbitrary code in my application given an entry point".

    It is my opinion that there is no reason to use eval. Show me a case where eval is required in actual useful code and I'll bet that I can rewrite the code without using eval or declare it as impossibly secure code.

    Disallowing Inline script is only half the battle, especially if you use jquery.

    Quiz: does this code trigger an inline script violation or an eval violation?

    $('body').html('')

    You may be surprised.

    Spoiler:

    it's eval

    0 讨论(0)
 看不清?
提交回复
热议问题