-
Notifications
You must be signed in to change notification settings - Fork 183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Polymer requires unsafe-eval CSP #679
Comments
We should not be using unsafe eval. |
Sorry, maybe should not be working after redeye, I was getting confused. But Polymer does not require unsafe-eval. So we should definitely fix it. |
In particular, we should remove unsafe-eval from: https://github.com/uProxy/uproxy/blob/dev/src/chrome/extension/manifest.json |
Reopening as we are now seeing this error:
I found some GitHub issues about this that suggest we should run vulcanize with the --csp flag to fix it: Polymer/polymer#612, Polymer/polymer#252 |
Looks like we are already using the csp flag (that's what splits polymer into separate a separate JS and HTML) |
@salomegeo can perhaps comment if this is also the reason why the firefox addon uses 'unsafe-content-script' |
I believe that's not needed anymore. It was necessary to share objects On Fri, Mar 13, 2015 at 5:17 PM, Will notifications@github.com wrote:
|
No longer an issue |
unsafe-eval
, allowing javascript to calleval
, is the most dangerous and least recommended policy to allow in your UI. Especially in a UI that features remote-user content like names, images, etc. we should not allow unsafe-eval.it appears this relaxation occured in #346
@dborkan - does polymer really need unsafe-eval permissions?
@iislucas - was this considered at the point when we moved to polymer? it's a fairly gaping security issue.
The text was updated successfully, but these errors were encountered: