Content Security Policy excludes unsafe-eval
Why it matters
unsafe-eval in a Chrome extension's Content Security Policy permits dynamic code execution via eval(), new Function(), and related patterns — exactly the primitives an attacker uses in an XSS payload. Chrome Web Store (chrome-cws-csp-policy) blocks extensions with unsafe-eval in their CSP outright; there is no exception process. Beyond store rejection, allowing eval() in an extension context means any cross-site scripting vulnerability in the extension's pages can escalate to full browser API access, violating OWASP A03 (Injection) and CWE-95 (Improper Neutralization of Directives in Eval).
Severity rationale
High because `unsafe-eval` causes Chrome Web Store rejection and enables XSS-to-extension-API escalation if any content is rendered dynamically.
Remediation
Remove unsafe-eval, unsafe-inline, and unsafe-hashes from your manifest's CSP. The default restrictive policy applies if you omit the field entirely.
{
"content_security_policy": {
"extension_pages": "script-src 'self'; object-src 'self';"
}
}
If you currently use eval() for dynamic logic, refactor to static code or use chrome.scripting.executeScript with a declared function reference. Bundlers like esbuild and Webpack compile templates to static JS at build time, eliminating any need for runtime eval().
Detection
-
ID:
csp-no-unsafe-eval -
Severity:
high -
What to look for: Check the manifest's
content_security_policyfield (if present). Look for the stringsunsafe-eval,unsafe-inline, orunsafe-hashes. These are security risks and not allowed in Chrome Web Store extensions. -
Pass criteria: Count every directive in the CSP. 0 instances of
unsafe-eval,unsafe-inline, orunsafe-hashesfound in the content security policy. The CSP is either absent (defaults to secure policy) or uses a secure, restrictive policy. -
Fail criteria: At least 1 instance of
unsafe-eval,unsafe-inline, orunsafe-hashesin the manifest's CSP. Do NOT pass ifunsafe-evalis present even in a development-only CSP — the manifest ships to production. -
Skip (N/A) when: Never — CSP security is a Chrome Web Store requirement.
-
Detail on fail:
"Manifest CSP includes 'unsafe-eval' in script-src"or"CSP allows unsafe-inline for styles". -
Remediation: Remove unsafe directives from your CSP:
{ "content_security_policy": { "extension_pages": "script-src 'self'; object-src 'self';" } }If you need dynamic code execution, use
chrome.scripting.executeScriptinstead of problematic patterns.
External references
- cwe · CWE-95 — Improper Neutralization of Directives in Dynamically Evaluated Code (eval injection)
- owasp:2021 · A03 — Injection
- external · chrome-cws-csp-policy — Chrome Web Store — Content Security Policy (no unsafe-eval)
Taxons
History
- 2026-04-18·v1.0.0·Initial import from extension-store-readiness·automated