Eval() isn't executed in Chrome when using Content-Security-Policy-Report-Only

Question

When using the report-only mode of the Content-Security-Policy, Chrome does not execute eval() anymore.

For the following example, I would expect to get 2 reports (one for the inline-script and one for the eval) and also, to see a pop-up. But only the 2 reports are displayed in the console.

Do I use the CSP wrong or is there a bug with the CSP report-only mode in Chrome?

<!DOCTYPE html>
<html>
    <meta http-equiv="Content-Security-Policy-Report-Only"   content="default-src 'self'; report-uri /dummy.html"/>     
    <meta http-equiv="X-Content-Security-Policy-Report-Only" content="default-src 'self'; report-uri /dummy.html"/>     
    <meta http-equiv="X-WebKit-CSP-Report-Only"              content="default-src 'self'; report-uri /dummy.html"/>
    <head>
        <script>
            eval('alert(1);');  
        </script>
    </head>
</html>

Mike West · Answer 1 · 2013-03-08T18:01:03.550

1

I can replicate this, and I've filed https://bugs.webkit.org/show_bug.cgi?id=111867. I'll have a fix in shortly. It's straightforward oversight on my part. Sorry about that.

edited Mar 08 '13 at 18:01

answered Mar 08 '13 at 17:37

Mike West

5,097
25
26

1

Hi Mike, I tried this again with Chrome27 (27.0.1453.93m) and things are slightly better: eval() is now executed in report-only mode - but no longer reported in the console. – user2144597 May 21 '13 at 22:45

Eval() isn't executed in Chrome when using Content-Security-Policy-Report-Only

1 Answers1