===Code will not be created from strings===
<font color="#a00">
* RestrictedUser Agents MUST block:** calls to eval()** calls to setTimeout called with using a String argument, e.g. setTimeout("evil string...", 1000)** calls to setInterval called with using a String argument, e.g. setInterval("evil string...", 1000)** new calls to the Function constructor, e.g. var f = new Function("evil string...")
</font>
<font color="#060">
* AllowedUser Agents MUST not block:
** Functions declared using the function operator, e.g. function f() { some_code }, or var f = function() { some_code }
** calls to setTimeout called with using a Function argument, e.g. setTimeout(myFunc, 1000)** calls to setInterval called with using a Function argument, e.g. setInterval(myFunc, 1000)
</font>
* Justification:
** eval and related functions make trivial the task of generating code from strings, which commonly come from untrusted sources, are loaded via insecure protocols, and can become tainted with attacker controlled data.
** Once tainted data has been introduced to a JavaScript program, it is extremely difficult to control its propogation and calls to eval and similar are likely to incorporate tainted strings containing malicious code.
** Note: the common AJAX pattern in which a site makes a XMLHttpRequest to fetch JSON data is still enabled under CSP using a JSON parser or inside a browser that has native JSON support.
* Sites may opt-out of this entire restriction by adding the <tt>eval-script</tt> keyword to the [[Security/CSP/Spec#options|options]] directive. This allows the blocked <tt>eval()</tt>, <tt>setTimeout()</tt>, <tt>setInterval()</tt>, and <tt>new Function()</tt> calls to proceed.
* Vulnerability types mitigated:
*# AJAX request tampering
*# Improper use of dynamic properties
'''On Violation:''' User Agents must generate and send a violation report will be sent with the <tt>violated-directive</tt> value set to "Base Restriction Violation: no code will be created with strings"when this base restriction is violated.
===No data: URIs unless opted-in to via explicit policy===
