Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add new trusted-eval source expression to 'script-src' directive. #473

Closed
wants to merge 1 commit into from

Conversation

lukewarlow
Copy link
Member

@lukewarlow lukewarlow commented Mar 12, 2024

Fixes #221 and #143

This allows removal of 'unsafe-eval' keyword provided you enforce trusted types and replace it with 'trusted-eval'.

  • At least two implementers are interested (and none opposed):
    • ...
  • Tests are written and can be reviewed and commented upon at:
  • Implementation bugs are filed:
    • Chromium: …
    • Gecko: …
    • WebKit: …
  • MDN issue

Preview | Diff

@lukewarlow lukewarlow added this to the v2 milestone Mar 12, 2024
@lukewarlow
Copy link
Member Author

This is not part of v1 of trusted types and as such is not covered by any existing standards positions. So we'll need to file positions separately when the time comes.

@@ -1779,6 +1802,9 @@ throws an "`EvalError`" if not:

1. <ins>If |sourceString| is not equal to |source|, throw an {{EvalError}}.</ins>

1. <ins>Let |requireTrustedTypes| be the result of executing [$Does sink type require trusted types?$] algorithm,
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As currently written this doesn't deal with the case where script-src is in enforcement mode but requre-trusted-types-for isn't.

3. If |source-list| is not `null`, and does not contain a [=source expression=] which is
an [=ASCII case-insensitive=] match for the string "<a grammar>`'unsafe-eval'`</a>" then:
3. If |source-list| is not `null`, then:
1. <ins>If |requireTrustedTypes| and |source-list| contains a [=source expression=] which is
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps rather than doing the requireTrustedTypes check here, we should use trusted-eval as an enforcement mechanism. So it implies require-trusted-types-for in the eval context?

Not sure if that's good or bad just an idea.

This allows removal of 'unsafe-eval' keyword provided you enforce trusted types and replace it with 'trusted-eval'.
@lukewarlow
Copy link
Member Author

Going to close this and move it as a PR against CSP itself.

@lukewarlow lukewarlow closed this May 14, 2024
@lukewarlow
Copy link
Member Author

MOved to w3c/webappsec-csp#665

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Figure out if we need 'trusted-script' in script-src
1 participant