This repository has been archived by the owner on Nov 4, 2024. It is now read-only.
Incorrect CSP analysis of eval()
#240
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The Term
Blocks execution of JavaScript's eval() function by not allowing 'unsafe-eval' inside script-srchas flawed logic in the implementation - Passes the test even when there is noscript-srcdefined...Example:
https://observatory.mozilla.org/analyze/stackoverflow.com
CSP does not limit scripts:
upgrade-insecure-requests; frame-ancestors 'self' https://stackexchange.com, yet the test is passed:The text was updated successfully, but these errors were encountered: