Content Security Policy (CSP) implemented with unsafe-eval

OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 OWASP 2019-API7 CWE-16 ISO27001-A.14.2.5 WASC-15 WSTG-CONF-12

Content Security Policy is a security standard. It was introduced to protect from cross-site scripting and other injection attacks. This is achieved by restricting data access from different sources. Content Security Policy is the second layer of protection from Cross-site Scripting and related attacks. This application uses an Unsafe Content Security Policy Directive unsafe-eval. This vulnerability allows the use of string evaluation functions like eval. This may lead to the attacker to bypass Content Security Policy and exploits a Cross-site Scripting vulnerability successfully.


            default-src 'self';
            script-src 'self';



This vulnerability leads to cross-site scripting and related attacks.

Mitigation / Precaution

Beagle recommends the following impacts:-

  • Set proper Content Security Policy
  • Remove unsafe eval from Content Security Policy Directive

Latest Articles