- From: Ian Melven <imelven@mozilla.com>
- Date: Fri, 28 Dec 2012 09:51:49 -0800 (PST)
- To: public-webappsec <public-webappsec@w3.org>
Hi, recently Paul Theriault discovered that in Gecko, crypto.generateCRMFRequest bypasses CSP by allowing script execution from a string when unsafe-eval isn't specified as part of an applied CSP. this has been filed as http://bugzilla.mozilla.org/show_bug.cgi?id=824652 there was a suggestion in the bug to add this to the list of eval and friends blocked by CSP in the spec - i think in general the spec avoids exhaustively listing all the ways to do things such as eval, but am bringing this up here to see if others think we should call out this case since it seems like a fairly easy one to miss. thanks ! ian
Received on Friday, 28 December 2012 17:52:21 UTC