CSP - Script source



As I am quite new to the topic of CSP, I have installed a Chrome plugin called CSP Evaluator.

When logged in in my owncloud instance, it shows the following hints:

_script-src _
'self' can be problematic if you host JSONP, Angular or user uploaded files.
'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().

As far as I understand the aim of CSP, it is meant to mitigate XSS attacks. Hence the script-src is one of the most important tags. Both, self and unsave-eval should be replaced by an external script which can not be modified by a XSS attack.



it you think there is a security issue here please see https://owncloud.org/security/

Reports of such stuff in here won't get noticed and will be lost in the void.