Skip to content

Implement 'HostEnsureCanCompileStrings'. #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 6, 2016
Merged

Implement 'HostEnsureCanCompileStrings'. #66

merged 2 commits into from
Apr 6, 2016

Conversation

@mikewest
Copy link
Member

@mikewest mikewest commented Apr 6, 2016

@annevk, @domenic: Can you take a look at this attempt to address the CSP side of whatwg/html#271 (comment)?

@mikewest
Copy link
Member Author

mikewest commented Apr 6, 2016

@wseltzer: According to the IPR checker, I'm not allowed to contribute to W3C specs. cough Perhaps you could poke at that? :)

@mikewest mikewest merged commit 69d9779 into master Apr 6, 2016
@domenic
Copy link
Contributor

domenic commented Apr 6, 2016

Didn't we vaguely discuss using both callerRealm and calleeRealm?

@mikewest
Copy link
Member Author

mikewest commented Apr 6, 2016

I don't recall. The caller realm seems most important, but we could check both, I guess?

@domenic
Copy link
Contributor

domenic commented Apr 6, 2016

Yeah, it seems like you shouldn't be able to do cspedWindow.eval('...') to me. Both would be nice.

mikewest added a commit that referenced this pull request Apr 6, 2016
@mikewest
Check both caller and callee realm for 'unsafe-eval'.
8d3e743 
Based on conversation at #66, this seems like the
safest approach given the potential difference in privilege between
realms.

h/t @domenic
@mikewest
Copy link
Member Author

mikewest commented Apr 6, 2016

Changed to use both in 8d3e743.

@wseltzer
Copy link
Member

wseltzer commented Apr 12, 2016

@mikewest fixed the ipr check bug

@mikewest mikewest deleted the eval branch November 9, 2016 09:44
ryandel8834 added a commit to ryandel8834/WebAppSec-CSP that referenced this pull request Aug 13, 2022
@ryandel8834
Check both caller and callee realm for 'unsafe-eval'.
da09f76 
Based on conversation at w3c/webappsec-csp#66, this seems like the
safest approach given the potential difference in privilege between
realms.

h/t @domenic
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mikewest @domenic @wseltzer