Open Bug 1580514 Opened 5 years ago Updated 2 years ago

script-src CSP blocks eval and new Function

Categories

(DevTools :: Console, defect, P3)

Product:
DevTools
Component:
Console
Type:
defect

Tracking

(Not tracked)

People

(Reporter: pbro, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: parity-chrome)

Steps:

  • Open this page in Firefox: https://csp-devtools.glitch.me/
  • This page defines a CSP for script-src
  • Open the console and try executing the following lines:
    • eval("window")
    • var sum = new Function('a', 'b', 'return a + b');

Both of these get blocked by script-src. The error message is:

Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”)

This does not happen in Chrome.

See Also: → 1391994
Priority: -- → P3
See Also: → 1591983
See Also: → 1650112

I'll take a look at this.

Assignee: nobody → bwerth

I'm not working in this area anymore. Taking myself off the bug to make it clear that somebody else can pick it up.

Assignee: bwerth → nobody
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.