117286 2013-06-06 00:59:33 -0700 Reporting mode of Content Security Policy: eval() is not reported 2015-12-10 17:20:42 -0800 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) Unspecified Unspecified RESOLVED DUPLICATE 111869 P2 Normal --- 0 masch webkit-unassigned dbates oldest_to_newest 897669 0 masch 2013-06-06 00:59:33 -0700 Follow-up to bug 111867 which is solved with Chrome 27 (version 27.0.1453.110 m). Now any usage of eval() isn't reported anymore in reporting-mode (but still blocked in non-reporting-mode). Example: <!DOCTYPE html> <html> <meta http-equiv="Content-Security-Policy-Report-Only" content="default-src 'self' 'unsafe-inline'; report-uri /dummy.html"/> <head> <script src="CSP.js"></script> <script> eval('alert(2);'); </script> </head> <body> </body> </html> CSP.js: eval('alert(1);'); 1148353 1 dbates 2015-12-10 17:20:42 -0800 *** This bug has been marked as a duplicate of bug 111869 ***