oleg@: Is this only for `eval()`, or are resource requests like those generated by `importScripts()` enforced as well? I ask because `eval()`'s handling is a little special, requiring cooperation between V8 and Blink in some complicated ways.

+Andy

Hey Andy,

`eval()` was the simplest repro in the dev console, but we were getting this with something like `new Function('return 123;')()`, too (which I'm guessing uses something like `eval()` under the hood). We're not using `importScripts()`, so I'm not sure about the behavior there. In any case, the error stopped when I added `unsafe-eval` to the CSP.

Let me know if you need any more info!

Oleg

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/02b4622b5182f80acd62e85aa17a0d86ad77ab8b

commit 02b4622b5182f80acd62e85aa17a0d86ad77ab8b
Author: Andy Paicu <andypaicu@chromium.org>
Date: Mon Nov 05 10:28:20 2018

Ensure eval flag is properly transfered to context from CSPRO

When setting the eval flag for a worker context, report only policies
were treated as enforcing. Because AllowEval with supress reporting
does not take into account the ReportOnly state of the policy because
it calls CheckEval directly.

AllowEval: https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/frame/csp/content_security_policy.cc?g=0&l=603

CheckEval is called here: https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/frame/csp/csp_directive_list.cc?g=0&l=712

Bug:  777076 
Change-Id: I80994553037d29c9301aff1ea845386c776c6837
Reviewed-on: https://chromium-review.googlesource.com/c/1301439
Commit-Queue: Andy Paicu <andypaicu@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#605289}
[add] https://crrev.com/02b4622b5182f80acd62e85aa17a0d86ad77ab8b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/generic/cspro-not-enforced-in-worker.html
[add] https://crrev.com/02b4622b5182f80acd62e85aa17a0d86ad77ab8b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/generic/cspro-not-enforced-in-worker.html.sub.headers
[add] https://crrev.com/02b4622b5182f80acd62e85aa17a0d86ad77ab8b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/generic/support/eval.js
[add] https://crrev.com/02b4622b5182f80acd62e85aa17a0d86ad77ab8b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html
[add] https://crrev.com/02b4622b5182f80acd62e85aa17a0d86ad77ab8b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html.sub.headers
[add] https://crrev.com/02b4622b5182f80acd62e85aa17a0d86ad77ab8b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/eval-allowed-in-report-only-mode.html
[add] https://crrev.com/02b4622b5182f80acd62e85aa17a0d86ad77ab8b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/eval-allowed-in-report-only-mode.html.sub.headers
[delete] https://crrev.com/c7175f461cf20721ddb5d3f475f6e00019df94bf/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report-expected.txt
[delete] https://crrev.com/c7175f461cf20721ddb5d3f475f6e00019df94bf/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.php
[delete] https://crrev.com/c7175f461cf20721ddb5d3f475f6e00019df94bf/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-expected.txt
[delete] https://crrev.com/c7175f461cf20721ddb5d3f475f6e00019df94bf/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode.php
[modify] https://crrev.com/02b4622b5182f80acd62e85aa17a0d86ad77ab8b/third_party/blink/renderer/core/frame/csp/csp_directive_list.cc