4

I am working on a NodeJS Project and I'm using CSP (Content Security Policy).

I'm using a external plugin FullCalendar which is being blocked by csp giving the following error:

Error: call to Function() blocked by CSP

I use script-src 'self' 'unsafe-eval'; to override it but did not work in firefox. In other browser it is working fine.

I got stuck on this issue by 4h.

It would be helpful to get the solution.

I am using the following format in CSP restrictions.

X-Content-Security-Policy: default-src *; script-src 'self' 'unsafe-eval'; object-src 'none'; style-src 'self' 'unsafe-inline img-src *;options eval-script;
X-WebKit-CSP: default-src *; script-src 'self' 'unsafe-eval'; object-src 'none'; style-src 'self' 'unsafe-inline img-src *;
Content-Security-Policy: default-src *; script-src 'self' 'unsafe-eval'; object-src 'none'; style-src 'self' 'unsafe-inline img-src *;

Paulo Tomé
  • 1,910
  • 3
  • 18
  • 27
AMT
  • 701
  • 2
  • 6
  • 7
  • do you want to use `eval` function in CSP? – softvar Aug 06 '13 at 12:44
  • not getting any other alternative rather than using so yes i want to use `eval` function.@VarunMalhotra – AMT Aug 06 '13 at 12:47
  • I'm going to answer a more appropriate use of `eval` rather than using `eval` directly in CSP which is depreciated or violates `CSP` rules. – softvar Aug 06 '13 at 12:51
  • ok no problem i will try with that one also.. – AMT Aug 06 '13 at 12:54
  • What version of firefox are you using? Your policies look solid to me :-/ Although the 'unsafe-eval' in the X-Content-Security-Policy header is invalid, maybe that's causing the issue. Anecdotally I've had more success using 'allow' over default-src for FF < 23. – oreoshake Aug 06 '13 at 17:06
  • I am using FF22 and can u suggest me the valid 'unsafe-eval' in the X-Content-Security-Policy header to solve the issue – AMT Aug 07 '13 at 08:55

2 Answers2

1

assuming this.disp is containing the expression to be evaluated. Also disp: document.getElementById("id_of_text_input_field"). For eg. this.disp.value = 123/45*67+8-9%10. It will also care for negative nos. For eg. -123+3 = -120. Yay!

compute: function compute() {

  var sign = 1;
  if (this.disp.value[0] == '-') sign = -1;
  this.disp.value = this.calculate(this.disp.value,sign);
  this.update(this.disp.value.length);
  return this.disp.value;
  },

  calculate: function calculate(input,sign){

   var opr_list = { add : '+'
           , sub : '-' 
           , div : '/'
           , mlt : '*'
           , mod : '%'
            };

   opr_list.opr = [[ [opr_list.mlt] , [opr_list.div] , [opr_list.mod]],
            [ [opr_list.add] , [opr_list.sub] ]];

   input = input.replace(/[^0-9%^*\/()\-+.]/g,'');      

   var output,n;
   for(var i=0, n=opr_list.opr.length; i<n; i++ ){

      var re = new RegExp('(\\d+\\.?\\d*)([\\'+opr_list.opr[i].join('\\')+'])(\\d+\\.?\\d*)');
      re.lastIndex = 0;                                     
            while( re.test(input) ){

         output = this.compute_result(opr_list,sign*RegExp.$1,RegExp.$2,RegExp.$3);

         if (isNaN(output) || !isFinite(output)) return output; 
         input  = input.replace(re,output);
      }
   }

   return output;
},

   compute_result: function compute_result(opr_list,a,op,b){
      a=a*1; b=b*1;
      switch(op){
         case opr_list.add: return a+b; break;
         case opr_list.sub: return a-b; break;
         case opr_list.div: return a/b; break;
         case opr_list.mlt: return a*b; break;
         case opr_list.mod: return a%b; break;
         default: null;
      }
   }

You can add more operators and cases as per your requirements. For eg. Square, x^y, etc.

cristid9
  • 1,070
  • 1
  • 17
  • 37
softvar
  • 17,917
  • 12
  • 55
  • 76
  • 1
    Dude i am not using any `eval()` here i am getting a function blocked in csp which comes under `eval script base restriction` got suggestion that we should use `unsafe-eval & unsafe-inline` but for me it is not working so asking for any other alternatives... – AMT Aug 06 '13 at 13:04
  • 2
    Oh, you may contact Mozilla developers on irc. They will help you getting out. – softvar Aug 06 '13 at 13:10
  • 1
    any luck with contacting firefox devs regarding thigs? – albert Apr 18 '16 at 12:27
1

The Simplest way I found on the Internet. Embed Meta tag in your index.html file:

<meta http-equiv="Content-Security-Policy"
        content="
        default-src *
        style-src * 'unsafe-inline'
        script-src *
        img-src * data:
        'unsafe-eval'
        " />

This will allow to render and use of metafiles like Images, JavaScript, CSS from other source or platform.

kartik tyagi
  • 6,256
  • 2
  • 14
  • 31
  • 1
    This is dangerous; unsafe-eval is a common cause of XSS attacks. Much better to remove the use of eval/Function constructor than allow eval from any source. – Dr Rob Lang Oct 21 '21 at 12:59