-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP: ECMA-262 does not define "operator eval" #1
Comments
Removed from the current draft. |
ArthurSonzogni
added a commit
to ArthurSonzogni/webappsec-csp
that referenced
this issue
Nov 16, 2021
Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
ArthurSonzogni
added a commit
that referenced
this issue
Nov 22, 2021
* Introduce "Strip URL for use in reports". Omit informations from URLs in reports for: - `blockedURI` - `document-uri` - `referrer` - `source-file` This is the defactor standard implemented in: - [Chrome] with `StripURLForUseInReports(...)` - [Firefox] with `StripURIForReporting(...)` - [Safari] with `deprecatedURLForReporting(...)` The 3 implementations differ slightly. This patch proposes following [Chrome's patch], which help resolve this [user's need]. See also related [firefox issue] and [webappsec-csp issue]. [Chrome]: https://source.chromium.org/search?q=StripURLForUseInReport [Firefox]: https://searchfox.org/mozilla-central/search?q=StripURIForReporting [Safari]: https://github.com/WebKit/WebKit/blob/eea907e63be4676ad5cc56cabe4d00edf109b398/Source/WebCore/page/csp/ContentSecurityPolicy.cpp#L716 [Chrome's patch]: https://chromium-review.googlesource.com/c/chromium/src/+/3263879 [user's need]: https://bugs.chromium.org/p/chromium/issues/detail?id=1264789 [firefox issue]: https://bugzilla.mozilla.org/show_bug.cgi?id=1705523 [webappsec-csp issue]: #489 * Apply suggestions from annevk@ review #1 Co-authored-by: Anne van Kesteren <annevk@annevk.nl> * Address annevk@ comments #2 * Address @annevk comments. * Nit * Switch toward an allowlist * Remove wss/ws/ftp * Update index.bs Co-authored-by: Anne van Kesteren <annevk@annevk.nl> Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
From @shekyan on October 7, 2015 0:39
Section 7.15 mentions operator
eval
Operator
eval
is is not defined neither by ECMA-262, nor by the CSP specification.Copied from original issue: w3c/webappsec#503
The text was updated successfully, but these errors were encountered: