Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disallow eval in CSP policy #11925

Closed
LukasReschke opened this issue Nov 3, 2014 · 10 comments
Closed

Disallow eval in CSP policy #11925

LukasReschke opened this issue Nov 3, 2014 · 10 comments
Labels
enhancement research security status/STALE
Milestone
maybe some day

Comments

@LukasReschke
Copy link
Member

LukasReschke commented Nov 3, 2014
edited by DeepDiver1975
Loading

Currently eval is allowed with our CSP policy. We should evaluate whether disabling it causes any problems.
@LukasReschke
Copy link
Member Author

Notes:

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".
 l10n.js?v=7c2085d9b0883fc1b34b2525f35eecdd:87

@LukasReschke
Copy link
Member Author

@PVince81 Any chance to generate the plural function without using an eval-like construct?

@PVince81
Copy link
Contributor

PVince81 commented Nov 4, 2014

I looked into this before but didn't find any good solution... another idea would be to generate that function directly in the locale's translation JS file.

@LukasReschke LukasReschke mentioned this issue Dec 5, 2014
Closed
@LukasReschke LukasReschke added this to the 8.1-next milestone Jan 26, 2015
@LukasReschke
Copy link
Member Author

Would love to get rid of that. – We really need this considering some recent hiccups in some JS code components.

@DeepDiver1975

@LukasReschke LukasReschke mentioned this issue Feb 9, 2015
Merged
LukasReschke added a commit that referenced this issue Feb 9, 2015
@LukasReschke
Allow AppFramework applications to specify a custom CSP header
be875ff 
This change allows AppFramework applications to specify a custom CSP header for example when the default policy is too strict. Furthermore this allows us to partially migrate away from CSS and allowed eval() in our JavaScript components.

Legacy ownCloud components will still use the previous policy. Application developers can use this as following in their controllers:
```php
$response = new TemplateResponse('activity', 'list', []);
$cspHelper = new ContentSecurityPolicyHelper();
$cspHelper->addAllowedScriptDomain('www.owncloud.org');
$response->addHeader('Content-Security-Policy', $cspHelper->getPolicy());
return $response;
```

Fixes #11857 which is a pre-requisite for #13458 and #11925
LukasReschke added a commit that referenced this issue Feb 16, 2015
@LukasReschke
Allow AppFramework applications to specify a custom CSP header
b20174b 
This change allows AppFramework applications to specify a custom CSP header for example when the default policy is too strict. Furthermore this allows us to partially migrate away from CSS and allowed eval() in our JavaScript components.

Legacy ownCloud components will still use the previous policy. Application developers can use this as following in their controllers:
```php
$response = new TemplateResponse('activity', 'list', []);
$cspHelper = new ContentSecurityPolicyHelper();
$cspHelper->addAllowedScriptDomain('www.owncloud.org');
$response->addHeader('Content-Security-Policy', $cspHelper->getPolicy());
return $response;
```

Fixes #11857 which is a pre-requisite for #13458 and #11925
@DeepDiver1975 DeepDiver1975 modified the milestones: 8.1-current, 8.2-next Apr 4, 2015
@oparoz oparoz mentioned this issue Aug 18, 2015
Closed
@LukasReschke
Copy link
Member Author

We got bitten by this again: owncloud/gallery#295

We really need this at some point…

@ghost ghost added the sev2-high label Sep 10, 2015
@LukasReschke LukasReschke modified the milestones: 9.0-next, 8.2-current Oct 1, 2015
@LukasReschke
Copy link
Member Author

=> Breaking change that affects third-party apps => Let's move to 9.0

@PVince81
Copy link
Contributor

@LukasReschke also the handlebars situation was not solved.

Move to 9.1 ?

@LukasReschke LukasReschke modified the milestones: 9.1-next, 9.0-current Feb 18, 2016
@LukasReschke
Copy link
Member Author

Yes.

@PVince81
Copy link
Contributor

PVince81 commented Jun 1, 2016

Still can't get rid of eval due to client-side compiling of handlebars templates: #12848

@PVince81 PVince81 added this to the 9.2-next milestone Jun 1, 2016
@PVince81 PVince81 removed this from the 9.1-current milestone Jun 1, 2016
@LukasReschke LukasReschke mentioned this issue Oct 12, 2016
Closed
@PVince81
Copy link
Contributor

PVince81 commented Jan 27, 2017
edited
Loading

Not possible until we have precompiled handlebars templates everywhere -> backlog

@PVince81 PVince81 modified the milestones: backlog, 10.0 Jan 27, 2017
@ghost ghost mentioned this issue Nov 15, 2017
Closed
@nodiscc nodiscc mentioned this issue Dec 14, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement research security status/STALE
Projects
None yet
Milestone
maybe some day
Development

No branches or pull requests
6 participants
@PVince81 @LukasReschke @DeepDiver1975 @felixboehm @AlexAndBear @ownclouders