Task #63712
closed
Avoid use of eval() and replace it
100%
Description
The use of the eval() can be slow and insecure, so maybe it's better to avoid and replace it.
More info on:
http://www.nczonline.net/blog/2013/06/25/eval-isnt-evil-just-misunderstood/
After it is implemented it should be possible to use (in nginx):
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'";
Now 'unsafe-eval' still needed in default-src
Updated by Mathias Schreiber almost 10 years ago
- Target version changed from 7.0 to 7.1 (Cleanup)
Updated by Benni Mack over 9 years ago
- Target version changed from 7.1 (Cleanup) to 7.4 (Backend)
Updated by Susanne Moog over 9 years ago
- Target version changed from 7.4 (Backend) to 7.5
Updated by Benni Mack about 9 years ago
- Target version changed from 7.5 to 7 LTS
Updated by Stefan Neufeind about 9 years ago
- Status changed from New to Resolved
just a few remaining evals, but all in JavaScript-code. Let's imho close it
Updated by Peter Proell almost 9 years ago
There is still (7.6) CSP Issues in the backend (/typo3).
We should add a fitting CSP to the .htaccess in /typo3. Currently I am adding
Header set Content-Security-Policy "default-src * 'unsafe-eval' 'unsafe-inline';
in /typo3/.htaccess to overrule the more strict CSP of the website itself and make the backend work as well.
It would be a nice security feature if the TYPO3 backend would support a stricter CSP.
Infos on CSP:
http://content-security-policy.com/
https://de.wikipedia.org/wiki/Content_Security_Policy
Updated by Peter Proell almost 9 years ago
Opened a new ticket https://forge.typo3.org/issues/73047 as I cannot reopen this one.
Updated by Riccardo De Contardi about 7 years ago
- Status changed from Resolved to Closed