-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disallow eval in CSP policy #11925
Comments
Notes:
|
@PVince81 Any chance to generate the plural function without using an eval-like construct? |
I looked into this before but didn't find any good solution... another idea would be to generate that function directly in the locale's translation JS file. |
Would love to get rid of that. – We really need this considering some recent hiccups in some JS code components. |
This change allows AppFramework applications to specify a custom CSP header for example when the default policy is too strict. Furthermore this allows us to partially migrate away from CSS and allowed eval() in our JavaScript components. Legacy ownCloud components will still use the previous policy. Application developers can use this as following in their controllers: ```php $response = new TemplateResponse('activity', 'list', []); $cspHelper = new ContentSecurityPolicyHelper(); $cspHelper->addAllowedScriptDomain('www.owncloud.org'); $response->addHeader('Content-Security-Policy', $cspHelper->getPolicy()); return $response; ``` Fixes #11857 which is a pre-requisite for #13458 and #11925
This change allows AppFramework applications to specify a custom CSP header for example when the default policy is too strict. Furthermore this allows us to partially migrate away from CSS and allowed eval() in our JavaScript components. Legacy ownCloud components will still use the previous policy. Application developers can use this as following in their controllers: ```php $response = new TemplateResponse('activity', 'list', []); $cspHelper = new ContentSecurityPolicyHelper(); $cspHelper->addAllowedScriptDomain('www.owncloud.org'); $response->addHeader('Content-Security-Policy', $cspHelper->getPolicy()); return $response; ``` Fixes #11857 which is a pre-requisite for #13458 and #11925
We got bitten by this again: owncloud/gallery#295 We really need this at some point… |
=> Breaking change that affects third-party apps => Let's move to 9.0 |
@LukasReschke also the handlebars situation was not solved. Move to 9.1 ? |
Yes. |
Still can't get rid of eval due to client-side compiling of handlebars templates: #12848 |
Not possible until we have precompiled handlebars templates everywhere -> backlog |
Currently
eval
is allowed with our CSP policy. We should evaluate whether disabling it causes any problems.The text was updated successfully, but these errors were encountered: