Comments (3)
lweichselbaum
commented on September 23, 2024
'NEEDS_EVAL' contains all bypasses that also need 'unsafe-eval' in the policy to work.
So you're right GA works without eval, but some features (iirc tagmanager) used for the bypass do require eval to work.
So this means that the policy can only be bypassed (with the bypasses we found) if it whitelists GA and has 'unsafe-eval'.
from csp-evaluator.
april
commented on September 23, 2024
Is GTM a part of GA natively? You don't need to specifically include it (and unsafe-eval) to bypass the policy, only GA (and unsafe-eval)?
from csp-evaluator.
lweichselbaum
commented on September 23, 2024
No, GTM is not part of the native GA.
We only flag a CSP as bypassable if GTM is whitelisted (either domain or full path) AND 'unsafe-eval' is on.
https://csp-evaluator.withgoogle.com?csp=script-src https://www.google-analytics.com/ga.js;object-src 'none'
Currently NEEDS_EVAL is only used to mark all the domains serving GTM as not exploitable if there's no 'unsafe-eval.
I know this is a bit confusing, sorry for that...
from csp-evaluator.
Related Issues (20)
- `require-sri-for` has been deprecated
- object-src [missing] HOT 2
- Csp-evaluator installation problem HOT 1
- Add "export to text file" feature in frontend
- Not setting directives that don't fallback to default-src should be raised as a severity finding. HOT 1
- script-src-elem 'self' 'unsafe-inline' 'unsafe-eval' reported as "all good"
- improve parsing of multi-value CSP headers
- Trusted Types should allow the 'none' keyword HOT 4
- Add support for `navigate-to` HOT 1
- Problem with latest version 1.0.2 HOT 5
- Change requests from Lighthouse HOT 3
- Don't recommend trusted-types if CSP blocks scripts HOT 1
- Hosted CSP Evaluator doesn't recognize 'wasm-unsafe-eval'
- CSP extension for speculation rules
- Frame Ancestors are allowed to have non-leading wildcards
- CSP evaluator doesn't support newest the newest CSP directives and keywords and breaks some policies
- www.googletagmanager.com does not need unsafe-eval for CSP bypass
- Newrelic endpoint no longer exists
- `CspParser` wrongly split directive using `data:` source containing `;base64...`
- script-src 'wasm-unsafe-eval' reported as invalid
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from csp-evaluator.