New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disallow eval in CSP policy #11925

Open
LukasReschke opened this Issue Nov 3, 2014 · 10 comments

Comments

Projects
None yet
6 participants
@LukasReschke
Member

LukasReschke commented Nov 3, 2014

Currently eval is allowed with our CSP policy. We should evaluate whether disabling it causes any problems.

@LukasReschke

This comment has been minimized.

Member

LukasReschke commented Nov 3, 2014

Notes:

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".
 l10n.js?v=7c2085d9b0883fc1b34b2525f35eecdd:87
@LukasReschke

This comment has been minimized.

Member

LukasReschke commented Nov 3, 2014

@PVince81 Any chance to generate the plural function without using an eval-like construct?

@PVince81

This comment has been minimized.

Member

PVince81 commented Nov 4, 2014

I looked into this before but didn't find any good solution... another idea would be to generate that function directly in the locale's translation JS file.

@LukasReschke

This comment has been minimized.

Member

LukasReschke commented Jan 26, 2015

Would love to get rid of that. – We really need this considering some recent hiccups in some JS code components.

@DeepDiver1975

LukasReschke added a commit that referenced this issue Feb 9, 2015

Allow AppFramework applications to specify a custom CSP header
This change allows AppFramework applications to specify a custom CSP header for example when the default policy is too strict. Furthermore this allows us to partially migrate away from CSS and allowed eval() in our JavaScript components.

Legacy ownCloud components will still use the previous policy. Application developers can use this as following in their controllers:
```php
$response = new TemplateResponse('activity', 'list', []);
$cspHelper = new ContentSecurityPolicyHelper();
$cspHelper->addAllowedScriptDomain('www.owncloud.org');
$response->addHeader('Content-Security-Policy', $cspHelper->getPolicy());
return $response;
```

Fixes #11857 which is a pre-requisite for #13458 and #11925

LukasReschke added a commit that referenced this issue Feb 16, 2015

Allow AppFramework applications to specify a custom CSP header
This change allows AppFramework applications to specify a custom CSP header for example when the default policy is too strict. Furthermore this allows us to partially migrate away from CSS and allowed eval() in our JavaScript components.

Legacy ownCloud components will still use the previous policy. Application developers can use this as following in their controllers:
```php
$response = new TemplateResponse('activity', 'list', []);
$cspHelper = new ContentSecurityPolicyHelper();
$cspHelper->addAllowedScriptDomain('www.owncloud.org');
$response->addHeader('Content-Security-Policy', $cspHelper->getPolicy());
return $response;
```

Fixes #11857 which is a pre-requisite for #13458 and #11925

@DeepDiver1975 DeepDiver1975 modified the milestones: 8.1-current, 8.2-next Apr 4, 2015

@LukasReschke

This comment has been minimized.

Member

LukasReschke commented Sep 2, 2015

We got bitten by this again: owncloud/gallery#295

We really need this at some point…

@LukasReschke LukasReschke modified the milestones: 9.0-next, 8.2-current Oct 1, 2015

@LukasReschke

This comment has been minimized.

Member

LukasReschke commented Oct 1, 2015

=> Breaking change that affects third-party apps => Let's move to 9.0

@PVince81

This comment has been minimized.

Member

PVince81 commented Feb 18, 2016

@LukasReschke also the handlebars situation was not solved.

Move to 9.1 ?

@LukasReschke LukasReschke modified the milestones: 9.1-next, 9.0-current Feb 18, 2016

@LukasReschke

This comment has been minimized.

Member

LukasReschke commented Feb 18, 2016

Yes.

@PVince81

This comment has been minimized.

Member

PVince81 commented Jun 1, 2016

Still can't get rid of eval due to client-side compiling of handlebars templates: #12848

@PVince81 PVince81 added this to the 9.2-next milestone Jun 1, 2016

@PVince81 PVince81 removed this from the 9.1-current milestone Jun 1, 2016

@PVince81

This comment has been minimized.

Member

PVince81 commented Jan 27, 2017

Not possible until we have precompiled handlebars templates everywhere -> backlog

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment