Menu
I'm using this method to detect CSP with eval (also used in AngularJS):
function noUnsafeEval() {
try {
new Function('');
return false;
} catch (err) {
return true;
}
}
But I don't have a server with CSP at hand to thoroughly test it.
Is it reliable? Can the presence of new Function('') line in code cause the error that cannot be caught?
What is err? Which kind of error is caught there (Error, TypeError, etc)? What does the message of CSP error say?
I couldn't find the documentation on runtime errors in CSP.
764
Conduct a find (Ctrl-F on Windows, Cmd-F on Mac) and search for the term “Content-Security-Policy”. If “Content-Security-Policy” is found, the CSP will be the code that comes after that term.
Remember, the role of a Content Security Policy (CSP) is to block everything you haven't allowed. If you open up the console in your browser developer tools (F12) you typically will see a lot of errors. The first error might complain about lacking a report-uri but we'll get to that later.
To test for misconfigurations in CSPs, look for insecure configurations by examining the Content-Security-Policy HTTP response header or CSP meta element in a proxy tool: unsafe-inline directive enables inline scripts or styles making the applications susceptible to XSS attacks.
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.
Regarding how to detect CSP, there is another stackoverflow question: How to detect Content Security Policy (CSP) and it also shows your function.
It should be safe to use it, because, as long as the code reaches the function constructor (i.e. it is not blocked before by some other restriction), you will invariably get a return value from the noUnsafeEval.
From my knowledge, it will throw an EvalError (mozilla) if CSP disallows unsafe eval. But this may differ from browser to browser.
The best way to be sure would be to test this. You can use http://mockbin.org to create a HTTP endpoint which return a page with the right CSP headers and your function. I made such a bin here: http://mockbin.org/bin/cc6029e5-8aac-4a54-8fd1-abf41e17042a. If you open it, open the dev console and debug the code, you will see the exception:
You can also find this information in the W3C recommandations / drafts: CSP 1.1, CSP 2, CSP 3. In 1.1 you would get a SecurityError instead of an EvalError.
170
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
