CSP unsafe-eval in script-src #269
Comments
…` that might or might not have XSS implications](#269).
|
This has been rolled back as 1.19.3.
It's not an API change, or even an API addition, so we could semver-lawyer
about it all day... but on the whole a minor version bump for changing out
the backend that powers a feature would make sense next time, sure.
Now that we've done the cautious thing, can you shed any light on what's
actually going on in this report? Does it actually look like an unsafe eval
of user-entered code, or is it more the use of eval internally in a way
that's possibly safe but forbidden in your environment?
…On Wed, Dec 5, 2018 at 3:23 AM Tomasz Racia ***@***.***> wrote:
One of the changes you made since version 1.19.0 raised CSP
<https://content-security-policy.com/> error of using unsafe-eval in
script-src.
Based on the logs provided below, it looks like introducing css-tree:
[image: sanitize-csp-error]
<https://user-images.githubusercontent.com/1853824/49499617-dfd26a00-f86e-11e8-85f0-ee0bf883d94a.png>
I would consider it at least minor if not major, for sure not patch.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#269>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAB9fS6xAThUpP9lqiDAKnoaIFbGPDS3ks5u14KbgaJpZM4ZCOMC>
.
--
*Thomas Boutell, Chief Software Architect*
P'unk Avenue | (215) 755-1330 | punkave.com
|
|
Keeping the issue open until it's clear whether css-tree may come back or not. |
|
I double checked and it occurs for any input and is caused by csstree/lib/walker/create.js. It doesn't even get to the point where I sanitize HTML. Thanks for quick response! 🙇♂️ |
|
@raciat since @jbraithwaite is working to fix this issue upstream in |
|
I didn't dive too deep into this, so I don't know what's the actual content being blocked. For me it occurs if server sends CSP header without |
|
csstree/csstree#91 was just merged with release v1.0.0-alpha.35. Can we re-apply #267 with updated dependency |
|
@chris13524 I believe we can. |
|
See #308 |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
not stale |
|
@chris13524 Looking back at #308, it looks like css-tree would increase the size of the build. What is the benefit of switching to that? For some context, we're looking to remove the build from this module in the |
|
@abea ah yes, you are right! I guess this can be closed, then? |
One of the changes you made since version
1.19.0raised CSP error of usingunsafe-evalinscript-src.Based on the logs provided below, it looks like introducing
css-tree:I would consider it at least minor if not major, for sure not patch.
The text was updated successfully, but these errors were encountered: