YUI violates Content-Security-Policy #1513
Assignees
Labels
Comments
ghost
assigned 
|
IIRC the global detection routine was changed to accommodate the detection of global when running in nodejs, we can revisit that one more time :) |
|
time to bump this up: we are looking for a brave soul to fix this: we need a better way to detect global on the browser or at least a way to force to use a global value from config rather than letting YUI to compute it if it doesn't know how to compute it reliably. this is also the reason why you can't use yui in a brower extension without blowing up the security of it. |
|
another repo comes from micro: https://github.com/yui/yui3/blob/master/src/template/js/template-micro.js#L178 |
|
Fixed in #1963. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Line 480 of yui.js uses
Function('return this')()as a way to get a reference to the global object.This poses a problem for sites that that do not allow
evalor similar methods for creating code from strings to protect against XSS attacks or data injection via the Content-Security-Policy response header, which would block execution of YUI almost immediately.The only option would be to enable the
unsafe-evaldirective, opening up the possibility of various attacks.The text was updated successfully, but these errors were encountered: