Issues with Content Security Policy
See original GitHub issueWe are using CASL for our project to check permissions. recently we encountered that there are some issues with CSP in our application. Going further, we found that it is because of sift.js which has something like following in javascsript…
return"string"==typeof e?new Function("obj","return "+e)
CASL uses “sift” for Mongo DB like filters in javascript. I tried to go through CASL documentation, but found nothing related to CSP or Security. Has anybody got this issue before? Is it possible to fix this without adding “unsafe-eval”
following is the code snippet from stif.js which causes problem
Issue Analytics
- State:
- Created 4 years ago
- Comments:6 (5 by maintainers)
Top Results From Across the Web
Content Security Policy (CSP) - HTTP - MDN Web Docs
Chrome Edge
Content‑Security‑Policy Full support. Chrome25. more. Toggle history Full sup...
base‑uri Full support. Chrome40. Toggle history Full sup...
block‑all‑mixed‑content. Deprecated Full support. ChromeYes. Toggle history...
Read more >Content Security Policy (CSP) Not Implemented - Invicti
A Content Security Policy (CSP) Not Implemented is an attack that is similar to a Server-Side Template Injection (JinJava) that -level severity.
Read more >How to fix 'because it violates the following content security ...
Content Security Policy blocks all resources that don't match it's policy. To view the policy for a specific website use the CSP Evaluator....
Read more >Content Security Policy - OWASP Cheat Sheet Series
A strict policy's role is to protect against classical stored, reflected, and some of the DOM XSS attacks and should be the optimal...
Read more >What is Content Security Policy (CSP) | Header Examples
The main purpose of CSP is to mitigate and detect XSS attacks. XSS attacks exploit the browser's trust in the content received from...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Agreed with sift author to integrate CSP support into his library 😃 waiting for him to merge my PR
@stalniy thanks for prompt response… I have created issue for stift.js #166