Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new trusted-eval source expression to 'script-src' directive. #473

Closed
wants to merge 1 commit into from
Closed

Add new trusted-eval source expression to 'script-src' directive. #473

wants to merge 1 commit into from

Conversation

lukewarlow
Copy link
Member

@lukewarlow lukewarlow commented Mar 12, 2024
edited by pr-preview bot

Fixes #221 and #143

This allows removal of 'unsafe-eval' keyword provided you enforce trusted types and replace it with 'trusted-eval'.

  • At least two implementers are interested (and none opposed):
    • ...
  • Tests are written and can be reviewed and commented upon at:
  • Implementation bugs are filed:
    • Chromium: …
    • Gecko: …
    • WebKit: …
  • MDN issue

Preview | Diff

@lukewarlow lukewarlow added this to the v2 milestone Mar 12, 2024
@lukewarlow
Copy link
Member Author

This is not part of v1 of trusted types and as such is not covered by any existing standards positions. So we'll need to file positions separately when the time comes.

lukewarlow
lukewarlow commented Mar 12, 2024
View reviewed changes
spec/index.bs
@@ -1779,6 +1802,9 @@ throws an "`EvalError`" if not:

1. <ins>If |sourceString| is not equal to |source|, throw an {{EvalError}}.</ins>

1. <ins>Let |requireTrustedTypes| be the result of executing [$Does sink type require trusted types?$] algorithm,
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As currently written this doesn't deal with the case where script-src is in enforcement mode but requre-trusted-types-for isn't.

lukewarlow
lukewarlow commented Mar 12, 2024
View reviewed changes
spec/index.bs
3. If |source-list| is not `null`, and does not contain a [=source expression=] which is
an [=ASCII case-insensitive=] match for the string "<a grammar>`'unsafe-eval'`</a>" then:
3. If |source-list| is not `null`, then:
1. <ins>If |requireTrustedTypes| and |source-list| contains a [=source expression=] which is
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps rather than doing the requireTrustedTypes check here, we should use trusted-eval as an enforcement mechanism. So it implies require-trusted-types-for in the eval context?

Not sure if that's good or bad just an idea.

@lukewarlow
Add new trusted-eval source expression to 'script-src' directive.
3538217 
This allows removal of 'unsafe-eval' keyword provided you enforce trusted types and replace it with 'trusted-eval'.
@bkardell bkardell mentioned this pull request May 8, 2024
Open
@lukewarlow
Copy link
Member Author

Going to close this and move it as a PR against CSP itself.

@lukewarlow lukewarlow closed this May 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
spec
Projects
None yet
Milestone
v2
Development

Successfully merging this pull request may close these issues.

Figure out if we need 'trusted-script' in script-src
1 participant
@lukewarlow