SoylentNews

An Anonymous Coward writes:

Github bug shows that firefox and chrome have become less secure:

With a recent change (last night) on GitHub, where their framework introduced a "new Function()" call in a CSP-protected document, it caused issues on older versions of Firefox. Those would start throwing errors:

"Error: call to Function() blocked by CSP"

The latest versions however, do not. This seems to be a regression.

Preliminary testing shows the following regression range:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=506facea63169a29e04eb140663da1730052db64&tochange=b3ec8a3373e8faca26c39e9ff577a2d4f8b6927a [mozilla.org]

The offending code in framework.js is

t.exports=new Function("return this")()

which is protected by CSP that doesn't include "unsafe-eval":

script-src assets-cdn.github.com;

So according to the spec this should be blocked, but apparently isn't, anymore.

https://bugzilla.mozilla.org/show_bug.cgi?id=1363298 [mozilla.org]

Pale moon is safe.

Original Submission