#2667 JS: Content-Security-Policy vs. eval()

SlimerDude Wed 3 Jan 2018

I'm attempting to secure a Fantom web application against Cross Site Scripting (XSS) using Content-Security-Policy (CSP).

For those who don't know, it's a HTTP response header that tells browsers and clients how they should restrict where content is loaded from. For example:

Content-Security-Policy: script-src 'self' https://www.google-analytics.com/

Would tell the browser that for this web page, it should only load scripts from the host server or from google-analytics. For details see:

One of the bigger benefits of CSP is being able to disable the dangerous eval() javascript statement as dynamic code execution has always been a cause for concern for XSS attacks.

The only issue is, the core Fantom JS libraries currently make use of eval().

To get Fantom to work with CSP, I can use the following directive:

Content-Security-Policy: script-src 'self' 'unsafe-eval'

But it would be much better if Fantom didn't rely on eval(), then I could subsequently drop the unsafe-eval.

Note that in sys.js I think eval() is only used in a couple of places:

  • Field.js - fan.sys.Field.prototype.get()
  • Method.js - fan.sys.Method.prototype.invoke()
  • ObjDecoder.js - fanx_ObjDecoder.prototype.readSimple()

Do you think these few eval() usages in Fantom JS could be refactored out?

andy Mon 8 Jan 2018

Ticket promoted to #2667 and assigned to andy

I'm not immediately sure how to remove those; but seems like we should be able to

Lets open a ticket to track

Login or Signup to reply.