1

I need to embed Vega-js library (a heavy user of new Function() evals) into a site with the locked down CSP (no eval allowed). I have been exploring two options, and would love feedback on the best path to take:

  • nonce - serve the eval-using script via the nonce directive, hoping that eval() error will not be triggered. This assumption might not be correct - I'm still trying to comprehend nonce limitations.
  • place Vega graph in an <iframe sandbox='allow-scripts'>...</>, and communicate with it via messages. I don't know if it is possible for an <iframe> on a locked down site to have a more lax security settings (allow evals) than its parent.
Yuri Astrakhan
  • 8,808
  • 6
  • 63
  • 97
  • The second option should currently be possible using `postMessage`. – guest271314 Jan 11 '18 at 00:02
  • You say, “I need to embed Vega-js library (a heavy user of `new Function()` evals) into a site with the locked down CSP (no eval allowed)” but then one of the options you say you’re considering is to add use of `nonce`. If by “locked down” you mean you can’t change the policy at all, then it’s unclear how you’d plan to adjust it to include a `nonce` source… – sideshowbarker Jan 11 '18 at 00:22
  • @sideshowbarker I can adjust the site's policy (e.g. add a `nonce`), but the security engineers do not want to allow `eval` for all of the site. They are ok to allow it for a specific library. – Yuri Astrakhan Jan 11 '18 at 00:45
  • 1
    Ah OK. Well then it definitely seems like the ` – sideshowbarker Jan 11 '18 at 00:51

1 Answers1

2

I don't know if it is possible for an <iframe> on a locked down site to have a more lax security settings (allow evals) than its parent.

It is actually possible for the <iframe> to have a more-lax CSP policy that its parent. Unless it’s an <iframe srcdoc=…>, it inherits nothing from the CSP policy of the parent and has no relationship to the parent CSP policy at all.

See the answer at What CSP child iframe inherits from its parent? and the section of the CSP spec at https://w3c.github.io/webappsec-csp/2/#which-policy-applies that covers “Any resource included via iframe, object, or embed.

nonce - serve the eval-using script via the nonce directive, hoping that eval() error will not be triggered. This assumption might not be correct - I'm still trying to comprehend nonce limitations.

See the answer at What’s the purpose of the HTML "nonce" attribute for script and style elements? for a detailed explanation about how nonce works.

But even if you are use nonce to “whitelist” a particular script, that’s not going to allow use of eval by that script. With a CSP policy in place, the only way to allow use of eval is to specify 'unsafe-eval'. And if you specify that, it will allow use of eval by all scripts the document embeds — there’s no way to only allow use of eval by particular scripts but not by others.

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197