I'm attempting to secure a Fantom web application against Cross Site Scripting (XSS) using Content-Security-Policy (CSP).
For those who don't know, it's a HTTP response header that tells browsers and clients how they should restrict where content is loaded from. For example:
Content-Security-Policy: script-src 'self' https://www.google-analytics.com/
Would tell the browser that for this web page, it should only load scripts from the host server or from google-analytics. For details see:
The only issue is, the core Fantom JS libraries currently make use of eval().
To get Fantom to work with CSP, I can use the following directive:
Content-Security-Policy: script-src 'self' 'unsafe-eval'
But it would be much better if Fantom didn't rely on eval(), then I could subsequently drop the unsafe-eval.
Note that in sys.js I think eval() is only used in a couple of places:
Do you think these few eval() usages in Fantom JS could be refactored out?
Ticket promoted to #2667 and assigned to andy
I'm not immediately sure how to remove those; but seems like we should be able to
Lets open a ticket to track
Login or Signup to reply.