0

CSP Strict Dynamic EDIT: This link provides some incorrect information. See answer below.

From the above link, it sounds like strict-dynamic allows loaded scripts to create additional scripts, does the same hold true for the eval keyword? In other words, would using strict-dynamic in combination with a nonce allow a third party dependency hosted on an internal CDN to be loaded that would then be able to use the eval keyword to generate javascript from strings?

From this StackOverflow question here, I am aware that it is not possible to use a combination of unsafe-eval etc. to get the granularity required.

Is there a way to allow eval for very specific use cases in 2021 or is unsafe-eval required if I am unable to refactor the code to remove the use of eval?

Elijah1210
  • 329
  • 1
  • 2
  • 10
  • Per spec and per current browser implementations, no, there is no way to allow eval only for specific use cases. So yes, unsafe-eval is required if you are unable to refactor the code to remove the use of eval. Nothing has ever changed in the spec with regard to this, nor in browser implementations (and as far as I can see, it’s never going to change). – sideshowbarker Jul 05 '21 at 23:06

1 Answers1

0

From the above link, it sounds like strict-dynamic allows loaded scripts to create additional scripts, does the same hold true for the eval keyword?

Link you refer does not provide true information. The 'strict-dynamic' does not lead to ignore 'unsafe-eval', also page contains other misleading info.

'unsafe-eval' acts as a global page flag (see Note to para 4). therefore it covers whole page, not designated scripts.

Is there a way to allow eval for very specific use cases in 2021?

Yes, there is a "very specific use case" - in a Firefox browser you can allow 'unsafe-eval' for workers, but not for scripts on the page.

granty
  • 7,234
  • 1
  • 14
  • 21
  • I started testing out some more and noticed that same behaviour, parts of that link are definitely incorrect. I was hoping that strict-dynamic would allow dynamic javascript from sources I already trusted but it doesn't look like the case. It looks like I have no choice but to use unsafe-eval. Thanks! – Elijah1210 Jul 08 '21 at 13:50