No unsafe-eval

ab-001325 · extension-permissions-security.content-security-policy.no-unsafe-eval

Severity: criticalactive

Why it matters

CWE-95 (Eval Injection) and CWE-79 both apply here: 'unsafe-eval' in an extension CSP enables eval(), new Function(), and setTimeout with string arguments, all of which can execute attacker-controlled strings as code. In an extension context, that code runs with chrome.* API access. OWASP A03 (Injection) covers this attack class. Chrome's own documentation states that 'unsafe-eval' should never appear in extension CSP; MV3 bans it entirely. Even in MV2, its presence typically indicates AI-generated or copy-pasted code that hasn't been refactored for the privilege model extensions require.

Severity rationale

Critical because `'unsafe-eval'` allows dynamic string execution in a privileged extension context, enabling any injected string to invoke `chrome.*` APIs directly.

Remediation

Remove 'unsafe-eval' from CSP and refactor every eval() and new Function() call to use static alternatives.

"content_security_policy": {
  "extension_pages": "script-src 'self'; object-src 'none'"
}

For template rendering without eval, use document.createElement + .textContent rather than string-interpolated HTML. If a devtool panel needs to evaluate arbitrary user code, use a sandboxed iframe page — Chrome allows 'unsafe-eval' in sandboxed pages specifically.

Detection

ID: extension-permissions-security.content-security-policy.no-unsafe-eval
Severity: critical
What to look for: Quote the script-src directive from the CSP. Search for the literal string 'unsafe-eval' in the policy. Enumerate all source files and for each count occurrences of eval(, new Function(, and setTimeout( with string arguments that indicate eval usage.
Pass criteria: 'unsafe-eval' is NOT present in the CSP script-src directive. No more than 0 occurrences of eval() or new Function() with string arguments found in the codebase. The extension does not rely on dynamic code execution.
Fail criteria: 'unsafe-eval' is present in script-src, or code uses eval() patterns that would require it.
Skip (N/A) when: Never — unsafe-eval is a critical security risk for extensions.
Detail on fail: "CSP allows 'unsafe-eval', enabling eval() and new Function(). This is a major security risk."
Remediation: Remove 'unsafe-eval' from manifest.json CSP. Refactor code to avoid eval(). If you need to evaluate user code (e.g., a devtool), use the chrome.scripting API or a sandboxed page.
```
"content_security_policy": { "extension_pages": "script-src 'self'; object-src 'none'" }
```

External references

cwe · CWE-95 — Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection)
cwe · CWE-79 — Improper Neutralization of Input During Web Page Generation (XSS)
owasp:2021 · A03
external · chrome-csp-unsafe-eval — Chrome Extensions: Avoiding unsafe-eval

Taxons

injection-and-input-trust

History

2026-04-18·v1.0.0·Initial import from extension-permissions-security·automated