javascript - eval gets executed even thought ng-csp directive is used -

javascript - eval gets executed even thought ng-csp directive is used -

i have enabled ngcsp using ng-csp directive:

<body ng-app="pm" ng-csp ng-cloak>

why still able execute next eval in code without angular errors?

$scope.searchform = { searchexpression : "alert('hi')" } $scope.handlechange = function () { eval($scope.searchform.searchexpression); } <input type="text" ng-model="searchform.searchexpression" ng-change="handlechange(searchform.searchexpression)">

am not understanding ng-csp supposed do?

angularjs uses function(string) generated functions speed optimization. applying ngcsp directive cause angular utilize csp compatibility mode. when mode on angularjs evaluate expressions 30% slower in non-csp mode, no security violations raised.

from docs

what means using ng-csp alter how angular behaves, manually process things rather take eval-based shortcuts. useful if using csp on document.

it not magical way of changing how javascript works.

javascript angularjs content-security-policy