发表新帖
发表新帖

Content Security Policy (CSP) - safe usage of unsafe-eval?

前端 未结
关注
2 1989
小蘑菇
小蘑菇 2021-02-13 09:30

We use the following CSP header: 

default-src \'self\' *.ourdomain.com; script-src \'self\' *.ourdomain.com \'sha256-[...]\' \'unsafe-eval\'; 
connect-src \'self
2条回答
  • 余生分开走
    余生分开走 (楼主)
    2021-02-13 09:42

    The security risk is that it doesn't protect any of your own code that may be vulnerable because eval is used.

    If you are using eval in your own code you should question why. Is there a safer alternative that can be employed instead?

    See here for a (contrived) example of how code can be injected by an attacker. Of course whether this can be done to your site very much depends on your code.

    The upshot is that there's almost always an alternative to using eval.

    0 讨论(0)
 看不清?
提交回复
热议问题