Databases
StackOverflow2013
Postsdbo
POCSP: How to allow unsafe-eval for a given URI prefix (Firefox)
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POCSP: How to allow unsafe-eval for a given URI prefix (Firefox)
    text
    copied!<p>I'm trying to use <a href="http://mathjax.org/" rel="noreferrer">MathJax</a> as part of our web application which uses pretty strict <a href="http://www.w3.org/TR/CSP/" rel="noreferrer">Content Security Policy (CSP)</a>. The problem is that MathJax is coded to use <code>eval()</code> [to be exact, in form of <code>Function()</code>] which is not considered safe by default by CSP.</p> <p>I'm using following CSP header currently:</p> <pre><code>X-Content-Security-Policy: allow 'self'; img-src *; media-src *; frame-src *; font-src *; frame-ancestors 'none'; style-src *; report-uri '/:save-csp-violation'; </code></pre> <p>Which causes MathJax 2.0 code to fail because it uses <code>Function()</code>. I tried to allow unsafe-eval (i.e. <code>Function()</code>) only for MathJax located within the same origin below path <code>/:static/math/</code>. To do that, I tried to add</p> <pre><code>unsafe-eval '/:static/math/*' </code></pre> <p>to make the full header look like</p> <pre><code>X-Content-Security-Policy: allow 'self'; img-src *; media-src *; frame-src *; font-src *; frame-ancestors 'none'; style-src *; report-uri '/:save-csp-violation'; unsafe-eval '/:static/math/*' </code></pre> <p>but I still cannot Firefox 13.0 to run the code. I'm getting an error message to Firefox Web Console (located in Tools - Web Developer):</p> <pre><code>[10:09:59.072] call to Function() blocked by CSP @ http://localhost:8080/:static/math/2.0/MathJax.js?config=TeX-AMS-MML_HTMLorMML:29 </code></pre> <p>However, I'm not getting a CSP report to the 'report-uri'. (As you see, I'm currently running the test through custom localhost port without SSL, in case that makes a difference. The colon before <code>static</code> is not a typo, I'm reserving all path parts starting with a colon for internal use of the application, all user content may freely define other URLs.)</p> <p><strong>Is my use of <code>unsafe-eval</code> attribute incorrect or is it impossible to allow unsafe-eval only for subset of 'self'?</strong> The intent is to allow unsafe-eval only for same origin path prefix <code>/:static/math</code>, strict CSP JS code execution for '<code>self</code>' and no JS code for any other method.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload