Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Polymer requires unsafe-eval CSP #679

Closed
willscott opened this issue Dec 13, 2014 · 8 comments
Closed

Polymer requires unsafe-eval CSP #679

willscott opened this issue Dec 13, 2014 · 8 comments
Labels

Comments

@willscott
Copy link
Member

unsafe-eval, allowing javascript to call eval, is the most dangerous and least recommended policy to allow in your UI. Especially in a UI that features remote-user content like names, images, etc. we should not allow unsafe-eval.

it appears this relaxation occured in #346

@dborkan - does polymer really need unsafe-eval permissions?
@iislucas - was this considered at the point when we moved to polymer? it's a fairly gaping security issue.

@iislucas
Copy link
Contributor

We should not be using unsafe eval.

@iislucas iislucas changed the title Polymer requires unsafe-eval CSP Remove technical debt of using typescript with allow implicit any Dec 13, 2014
@iislucas iislucas changed the title Remove technical debt of using typescript with allow implicit any Polymer requires unsafe-eval CSP Dec 13, 2014
@iislucas
Copy link
Contributor

Sorry, maybe should not be working after redeye, I was getting confused. But Polymer does not require unsafe-eval. So we should definitely fix it.

@iislucas
Copy link
Contributor

In particular, we should remove unsafe-eval from: https://github.com/uProxy/uproxy/blob/dev/src/chrome/extension/manifest.json

@iislucas iislucas added this to the v0.9 Allardice (Web Store Feature Complete) milestone Jan 30, 2015
@dborkan
Copy link
Contributor

dborkan commented Mar 12, 2015

Reopening as we are now seeing this error:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:".

I found some GitHub issues about this that suggest we should run vulcanize with the --csp flag to fix it: Polymer/polymer#612, Polymer/polymer#252

@dborkan dborkan reopened this Mar 12, 2015
@dborkan
Copy link
Contributor

dborkan commented Mar 13, 2015

Looks like we are already using the csp flag (that's what splits polymer into separate a separate JS and HTML)

@willscott
Copy link
Member Author

@salomegeo can perhaps comment if this is also the reason why the firefox addon uses 'unsafe-content-script'
https://github.com/uProxy/uproxy/blob/dev/src/firefox/package.json#L11

@salomegeo
Copy link
Collaborator

I believe that's not needed anymore. It was necessary to share objects
between content script and page script. But we don't do that anymore I
believe.

On Fri, Mar 13, 2015 at 5:17 PM, Will notifications@github.com wrote:

@salomegeo https://github.com/salomegeo can perhaps comment if this is
also the reason why the firefox addon uses 'unsafe-content-script'
https://github.com/uProxy/uproxy/blob/dev/src/firefox/package.json#L11


Reply to this email directly or view it on GitHub
#679 (comment).

@dborkan
Copy link
Contributor

dborkan commented Feb 29, 2016

No longer an issue

@dborkan dborkan closed this as completed Feb 29, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

5 participants