I am talking in angular context. If the hash value of every *.js files in index.html are referenced in csp header script-src then, do we still need to remove 'unsafe-eval' for better security?
Asked
Active
Viewed 241 times
0
-
Yes, if you don't an attacker could "maybe" still exploit some reflected XSS, while removing unsafe-eval would eliminate the execution of it. thus not removing the XSS, but the execution which you (further) could catch in a CSP-Report. – Dxg125 Feb 16 '23 at 09:25
-
I migrated my app from angular7 to 11. I have this issues of 'new Function' refusal by csp because 'unsafe-eval' is not added. When I search my app for key 'new Function' I see more than 100 occurrences. Do you have any suggestion how to deal with this issue? – user1168880 Feb 17 '23 at 10:15
-
checkout the following: https://stackoverflow.com/questions/52573756/what-are-the-eval-related-functions-to-be-avoided-when-csp-is-enabled, TL;DR don't use new Function(), create a function(){} instead. Edit, "But instead, the better option is to avoid having to create a function from a string." from https://stackoverflow.com/questions/56803578/alternative-option-for-new-function-string-to-real-javascript – Dxg125 Feb 17 '23 at 10:38
-
Thanks for the reply. I forgot to mention this that these occurrences are in node_modules. How can I change files which I import? – user1168880 Feb 17 '23 at 11:36
-
Just to be sure, did you update the modules? Also sometimes there's no way around it, depending on the modules (hard to say, as i don't know which ones). Maybe need to add 'unsafe-eval' again if the modules are critically needed. But imo on non-critical modules i'd (remove / replace / update / whatever) those. – Dxg125 Feb 17 '23 at 12:48
-
I followed angular docs to migrate. – user1168880 Feb 18 '23 at 05:03