Menu
I want to allow unsafe-eval for a script-src policy, but only for a specific domain.
For example, I only want scripts from *.example.net to be able to use eval().
script-src 'unsafe-inline' *;script-src 'unsafe-eval' 'unsafe-inline' *.example.net blob:;
The above does not work. How can I achieve this behavior?
513
The Content Security Policy (CSP) prevents the evaluation of arbitrary strings as JavaScript to make it more difficult for an attacker to inject unauthorized code on your site. To solve this issue, avoid using eval() , new Function() , setTimeout([string], ...) and setInterval([string], ...) for evaluating strings.
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.
I want to allow 'unsafe-eval' for a 'script-src' policy, but only for a specific domain.
How can I achieve this behavior?
You can’t. Content Security Policy doesn’t provide a way to do that.
Both 'unsafe-eval' and *.example.net are just different types of what the CSP spec calls a “source expression”, and the values of CSP directives such as script-src are what the CSP spec calls “source lists” — lists of separate individual source expressions.
And source expressions in a CSP source list have no internal association with each other — instead they each apply globally to the directive they’re associated with.
So if you specify 'unsafe-eval' for the value of a script-src directive, then that always has the effect of globally allowing eval() in any JavaScript code in the document relies on.
There is no other syntax in CSP to express “only allow 'unsafe-eval' for *.example.net”. There’s just no way to express that in CSP.
From https://w3c.github.io/webappsec-csp/#framework-directive-source-list:
Many directives' values consist of source lists: sets of strings which identify content that can be fetched and potentially embedded or executed. Each string represents one of the following types of source expression:
Keywords such as
'none'and'self' (which match nothing and the current URL’s origin, respectively)Serialized URLs such as
https://example.com/path/to/file.js(which matches a specific file) orhttps://example.com/(which matches everything on that origin)Schemes such as
https:(which matches any resource having the specified scheme)Hosts such as
example.com(which matches any resource on the host, regardless of scheme) or*.example.com(which matches any resource on the host’s subdomains (and any of its subdomains' subdomains, and so on))Nonces such as
'nonce-ch4hvvbHDpv7xCSvXCs3BrNggHdTzxUA'(which can match specific elements on a page)Digests such as
'sha256-abcd...'(which can match specific elements on a page)
148
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
