Consider adding TT.emptyScript #218

koto · 2019-09-16T07:14:21Z

This might be used to check for the eval(TrustedScript) support. It can't be polyfilled, and requires some support from the JavaScript runtime, so it's possible there would exist environments in which eval(TrustedScript) is not available, whereas other TT restrictions are supported. The check then might be:

if (eval(trustedTypes.emptyScript)) {
  // Traditionally, eval(nonString) returns its input, and Objects are truthy.
  eval("we_have_to_use_strings_here");
} else { 
  // eval(TrustedScript) would execute if supported, returning a falsy value.
  eval(myTrustedScriptObj)
}

or

eval(memoize(eval(trustedTypes.emptyString)) ? trustedScript.toString() : trustedScript)

That would allow authors to set up script-src 'unsafe-eval' 'trusted-script'; trusted-types a b c which would lock down eval() as much as it is possible for a given environment.

The text was updated successfully, but these errors were encountered:

Fix w3c#218.

Fix #218.

koto mentioned this issue Sep 19, 2019

Figure out if we need 'trusted-script' in script-src #221

Closed

koto added polyfill spec labels Sep 30, 2019

koto added a commit to koto/trusted-types that referenced this issue Dec 13, 2019

Add trustedTypes.emptyScript.

fca4009

Fix w3c#218.

koto mentioned this issue Dec 13, 2019

Add trustedTypes.emptyScript. #251

Merged

koto closed this as completed in #251 Dec 13, 2019

koto added a commit that referenced this issue Dec 13, 2019

Add trustedTypes.emptyScript. (#251)

d2dd649

Fix #218.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Consider adding TT.emptyScript #218

Consider adding TT.emptyScript #218

koto commented Sep 16, 2019 •

edited

Loading

Consider adding TT.emptyScript #218

Consider adding TT.emptyScript #218

Comments

koto commented Sep 16, 2019 • edited Loading

koto commented Sep 16, 2019 •

edited

Loading