Include the string to be compiled in the call to `HostEnsureCanCompileStrings` #938
Comments
Sounds good in theory. The only reason we didn't do this at the time was because it wasn't needed, IIRC. There are a couple of tricky things:
|
This issue also surfaced when creating the trusted types spec draft. In short, we're trying to figure out if |
Actually, having looked at it, for Trusted Types in specific, we might need to be able to validate and coerce a given 'eval' argument to a string before e.g.
The use case we have in Trusted Types is to be able to, in the host environment, allow
but optionally disallow:
or even transform it to :
Theoretically, this can still be done in
I'm not sure how involved the change is, both in spec and the implementations. |
Excellent question.
It seems that for mkwst's diagnostic purposes, (2) is not a breaker, but for TT, (1) is a breaker. Per the questions about functions, those seem like non-issues since, as koto points out, HostEnsureCanCompileStrings is never called. $ npx node@10 --disallow_code_generation_from_strings -e 'console.log(eval(() => {}))'
[Function]
$ npx node@10 --disallow_code_generation_from_strings -e 'console.log(eval("() => {}"))'
[eval]:1
console.log(eval("() => {}"))
^
EvalError: Code generation from strings disallowed for this context Perhaps we could tweak the |
@mikesamuel, this is now merged into https://github.com/tc39/proposal-dynamic-code-brand-checks, right? |
@koto, correct. https://tc39.es/proposal-dynamic-code-brand-checks/#sec-hostbeforecompilevalue |
To improve the quality of CSP reports, it would be helpful for
HostEnsureCanCompileStrings()
to include the string to be compiled as an argument.HostEnsureCanCompileStrings(callerRealm, calleeRealm, source)
seems ideal. :)The goal is to ensure that we can include a sample of the script which violates the policy when generating a CSP violation report. We're doing this for inline
<script>...</script>
blocks today, and layeringeval()
and the like on as well would be helpful.The text was updated successfully, but these errors were encountered: