Enabling CSP's unsafe-eval in an iframe

Question

I need to embed Vega-js library (a heavy user of new Function() evals) into a site with the locked down CSP (no eval allowed). I have been exploring two options, and would love feedback on the best path to take:

• nonce - serve the eval-using script via the nonce directive, hoping that eval() error will not be triggered. This assumption might not be correct - I'm still trying to comprehend nonce limitations.
• place Vega graph in an <iframe sandbox='allow-scripts'>...</>, and communicate with it via messages. I don't know if it is possible for an <iframe> on a locked down site to have a more lax security settings (allow evals) than its parent.

Answer 1

I don't know if it is possible for an <iframe> on a locked down site to have a more lax security settings (allow evals) than its parent.

It is actually possible for the <iframe> to have a more-lax CSP policy that its parent. Unless it’s an <iframe srcdoc=…>, it inherits nothing from the CSP policy of the parent and has no relationship to the parent CSP policy at all.

See the answer at What CSP child iframe inherits from its parent? and the section of the CSP spec at https://w3c.github.io/webappsec-csp/2/#which-policy-applies that covers “Any resource included via iframe, object, or embed”.

nonce - serve the eval-using script via the nonce directive, hoping that eval() error will not be triggered. This assumption might not be correct - I'm still trying to comprehend nonce limitations.

See the answer at What’s the purpose of the HTML "nonce" attribute for script and style elements? for a detailed explanation about how nonce works.

But even if you are use nonce to “whitelist” a particular script, that’s not going to allow use of eval by that script. With a CSP policy in place, the only way to allow use of eval is to specify 'unsafe-eval'. And if you specify that, it will allow use of eval by all scripts the document embeds — there’s no way to only allow use of eval by particular scripts but not by others.