We use the following CSP header:
default-src 'self' *.ourdomain.com; script-src 'self' *.ourdomain.com 'sha256-[...]' 'unsafe-eval';
connect-src 'self' *.ourdomain.com;
style-src 'unsafe-inline' * 'self' data:; font-src *;
img-src * 'self' data:
The recommendation by our security team is not use unsafe-eval.
My question is: as long as we are using sha256-[...] to restrict any script that we haven't deployed ourselves, what is the security risk of still keeping unsafe-eval in the CSP header? In what situation would this still expose us to cross-site attacks?
The Content Security Policy (CSP) prevents the evaluation of arbitrary strings as JavaScript to make it more difficult for an attacker to inject unauthorized code on your site. To solve this issue, avoid using eval() , new Function() , setTimeout([string], ...) and setInterval([string], ...) for evaluating strings.
It is only ok to use unsafe-inline when it is combined with the strict-dynamic csp directive. On browsers that support strict-dynamic (CSP Level 3+), the unsafe-inline is ignored, and provides a route to backwards compatibility on browsers that support CSP Level 2 or lower.
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks.
Whenever you see the prefix unsafe in a CSP keyword, that means that using this is not the most secure way to go. It is better to refactor your code to avoid using HTML event handler attributes (such as onload , onclick , onmouseover etc.)
Because eval is literally unsafe. Eval in every language means "take this string and execute it code." Sure, you may be using eval in a semi-safe way, but as long as you allow it at all, you are saying "anyone is allowed to execute arbitrary code in my application given an entry point".
It is my opinion that there is no reason to use eval. Show me a case where eval is required in actual useful code and I'll bet that I can rewrite the code without using eval or declare it as impossibly secure code.
Disallowing Inline script is only half the battle, especially if you use jquery.
Quiz: does this code trigger an inline script violation or an eval violation?
$('body').html('<script>alert(1)</script>')
You may be surprised.
Spoiler:
it's eval (at the time this was written)
The security risk is that it doesn't protect any of your own code that may be vulnerable because eval
is used.
If you are using eval
in your own code you should question why. Is there a safer alternative that can be employed instead?
See here for a (contrived) example of how code can be injected by an attacker. Of course whether this can be done to your site very much depends on your code.
The upshot is that there's almost always an alternative to using eval
.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With