Content security unsafe-eval policy only for one url

Question

How is it possible to add a directive 'unsafe-eval' only for one source ?

I'm developing a cordova application and as I need to allow script-src from multiple source (external script like twitter, etc..) I set in meta http-equiv="Content-Security-Policy : script-src *

<meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline' data: gap: * 'unsafe-eval'; style-src 'self' 'unsafe-inline'; script-src * 'self' 'unsafe-inline' 'unsafe-eval';">

This works but it is dangerous because it's wide open.

So i would like to add 'unsafe-eval' only for the script that needs it (https://maps.googleapis.com in my example)

Is it possible ?

Answer 1

You can't.

'unsafe-eval' in a policy isn't some kind of flag or attribute that is applied to some particular script source. Instead, it is a script source in and of itself, as you can see in this excerpt from the CSP spec:

source-expression = scheme-source / host-source / keyword-source / nonce-source / hash-source
scheme-source     = scheme-part ":"
host-source       = [ scheme-part "://" ] host-part [ port-part ] [ path-part ]
keyword-source    = "'self'" / "'unsafe-inline'" / "'unsafe-eval'"

Also, even if you could, this wouldn't protect you from some other script triggering the unsafe eval within the maps api code with its own string to evaluate.

Have a look at CSP unsafe-eval using Google Maps API though, maybe you can get rid of 'unsafe-eval' altogether.