Open Bug 1580514 Opened 5 years ago Updated 2 years ago

script-src CSP blocks eval and new Function

Tracking

(Not tracked)

Status:

NEW

People

(Reporter: pbro, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: parity-chrome)

Patrick Brosset <:pbro>

Reporter

Description

•

5 years ago

Steps:

Open this page in Firefox: https://csp-devtools.glitch.me/
This page defines a CSP for script-src
Open the console and try executing the following lines:
- eval("window")
- var sum = new Function('a', 'b', 'return a + b');

Both of these get blocked by script-src. The error message is:

Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”)

This does not happen in Chrome.

Brad Werth [:bradwerth]

Updated

•

5 years ago

See Also: → https://bugzilla.mozilla.org/show_bug.cgi?id=1391994

Nicolas Chevobbe [:nchevobbe]

Updated

•

5 years ago

Priority: -- → P3

Rob Wu [:robwu]

Updated

•

5 years ago

See Also: → https://bugzilla.mozilla.org/show_bug.cgi?id=1591983

Logan Smyth [:loganfsmyth]

Updated

•

4 years ago

See Also: → https://bugzilla.mozilla.org/show_bug.cgi?id=1650112

Brad Werth [:bradwerth]

Comment 1

•

4 years ago

I'll take a look at this.

Assignee: nobody → bwerth

Brad Werth [:bradwerth]

Comment 2

•

3 years ago

I'm not working in this area anymore. Taking myself off the bug to make it clear that somebody else can pick it up.

Assignee: bwerth → nobody

BMO Automation

Updated

•

2 years ago

Severity: normal → S3

You need to log in before you can comment on or make changes to this bug.

Bugzilla

script-src CSP blocks eval and new Function

Categories

(DevTools :: Console, defect, P3)

Tracking

(Not tracked)

People

(Reporter: pbro, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: parity-chrome)

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Updated

Updated

Comment 1

Comment 2

Updated