Normative: Allow CodeLike object evaluation by lukewarlow · Pull Request #3294 · tc39/ecma262

lukewarlow · 2024-03-07T15:36:34Z

This change introduces a new HostGetCodeForEval host hook, this is used to allow evaluating certain objects.

This change also provides the compilation type and the original arguments, to the host hook HostEnsureCanCompileStrings.

This PR upstreams a reduced version of the https://github.com/tc39/proposal-dynamic-code-brand-checks proposal

Closes #1498, #938

caridy · 2024-03-07T23:54:47Z

probably a little premature to do this at stage 1 :-)

@ljharb I think the reasoning behind this PR is that it doesn't really change any functionality, it is just layering. The original proposal from @mikesamuel was a lot bigger, this is just a small piece of that and we were hoping to just ask for consensus rather than pushing this thru the staging process. @cc @nicolo-ribaudo

ljharb · 2024-03-07T23:56:21Z

@caridy if it's normative, it's not just layering - but sure, if the goal is to try to turn it into a needs consensus PR, then this is fine, but my recollection is that that approach was rejected in favor of a proposal, I'm not sure how it'll turn out.

lukewarlow · 2024-03-08T00:18:53Z

@ljharb my understanding was that this would just be layering in the same way #3222 was.

ljharb · 2024-03-08T00:20:17Z

You might be right :-) would this PR obviate the entire linked proposal?

lukewarlow · 2024-03-08T00:35:22Z

Yeah with this PR the use case for that proposal, trusted types protection of eval and Function would be entirely addressed. That proposal would subsequently be withdrawn. The changes have been reduced over time and that linked PR addressed some of the required changes anyway.

michaelficarra · 2024-04-05T19:18:05Z

FYI @lukewarlow @nicolo-ribaudo this wouldn't be appropriate for stage 3 before testing and integration work has been completed. Maybe you should change the agenda item asking for stage 3 to stage 2.7?

michaelficarra · 2024-04-05T22:11:43Z

I don't really like the design here. Instead of adding a Boolean slot, could we add a String slot? The thing I don't like about having a Boolean slot and calling ToString on it is that there's no guarantee that it produces the same String each time. There's also no guarantee that ToString completes normally. If the String can't be precomputed and guaranteed constant, we could also use the slot to memoise it: ~not-computed~ or a String.

If it doesn't limit what you're trying to do with this proposal, I would much prefer a design like that.

nicolo-ribaudo · 2024-04-06T15:23:12Z

@michaelficarra This is currently tested in WPT. I asked to @ptomato how to test this in test262 but, given that the only observable change is that there might be objects that are not returned as-is by eval() but we don't actually say which objects they are (or we don't request that they exist), he suggested that this isn't really testable in test262 and that it's better to have it in WPT.

The test that shows that "there exist an object that is not returned as-is by eval" is at https://github.com/web-platform-tests/wpt/blob/23894a7e427bc088cfd4b3aa6ba8a8927b904713/trusted-types/eval-csp-no-tt.html#L13-L15. We could try somehow moving it to test262 if you prefer, maybe by requesting runners to provide an optional $262.getObjectForEval(toStringResult).

There is also a test about how it interacts with new Function (at https://github.com/web-platform-tests/wpt/blob/master/trusted-types/eval-function-constructor.html), but given that whether a call to new Function is allowed or not is entirely host-defined I don't think it can be moved to test262 in any way.

Regarding the host integration, it's specified at https://w3c.github.io/trusted-types/dist/spec/#host-ensure-can-compile-strings and https://w3c.github.io/trusted-types/dist/spec/#csp-eval.

nicolo-ribaudo · 2024-04-06T15:31:03Z

I don't really like the design here. Instead of adding a Boolean slot, could we add a String slot? The thing I don't like about having a Boolean slot and calling ToString on it is that there's no guarantee that it produces the same String each time. There's also no guarantee that ToString completes normally. If the String can't be precomputed and guaranteed constant, we could also use the slot to memoise it: ~not-computed~ or a String.

If it doesn't limit what you're trying to do with this proposal, I would much prefer a design like that.

I recommended using toString() to convert objects to string in eval() because new Function already uses toString() to convert objects to strings. When doing new Function(someObject) twice, there is already no guarantee that it will generate two functions with the same code.

When it comes to Trusted Types, the host is checking not only that the new Function/eval is being called with an object that has the capability of being converted into code, but also that the object gives the permission to convert the specific string obtained through ecma262 into code (step 2.4.1 of https://w3c.github.io/trusted-types/dist/spec/#csp-eval)

nicolo-ribaudo · 2024-04-07T17:44:52Z

@syg I was reading tc39/proposal-source-phase-imports#59 — should we replace the internal slot on the host-provided object with a HostEvalShouldStringifyObject hook for the same reason?

nicolo-ribaudo · 2024-04-17T14:24:09Z

@bakkot I was re-reading the new Function spec -- you mentioned that the sourceText created in CreateDynamicFunction is not exposed. However, my reading is that step 4 of OrdinaryFunctionCreate stores it in F.[[SourceText]], and then Function.prototype.toString will return it.

bakkot · 2024-04-17T15:07:51Z

I don't remember saying such a thing, but either way, yes, that's correct.

michaelficarra · 2024-04-17T15:37:59Z

@nicolo-ribaudo You may be referring to what I said, and I think I may have confused dynamic functions with built-in functions. While the exact whitespace/comments/etc in the String returned by Function.prototype.toString for built-ins is intentionally underspecified, the String returned for dynamic functions is indeed fully specified. If you want, it seems okay to pass that to the host AO. Sorry for the mistake.

syg · 2024-04-17T20:30:29Z

@syg I was reading tc39/proposal-source-phase-imports#59 — should we replace the internal slot on the host-provided object with a HostEvalShouldStringifyObject hook for the same reason?

Is this a comment referencing an earlier version of the PR? I don't see an internal slot currently.

lukewarlow · 2024-04-17T20:34:25Z

@syg yes there was previously a slot but we've changed it to a host hook (which itself may or may not check a slot)

lukewarlow · 2024-04-23T13:37:31Z

If you want, it seems okay to pass that to the host AO. Sorry for the mistake.

@michaelficarra is that something we can do without needing to represent that change? Passing the built code string through would indeed be the best course from our side (CSP is in fact already specced that way).

michaelficarra · 2024-04-23T16:25:27Z

@lukewarlow Any normative change at stage 2.7 or later should be presented to the committee, but I don't think this one should require consensus. It can be just a quick update.

This aligns with tc39/ecma262#3294 closes tc39#21

This change introduces a new HostGetCodeForEval host hook, this is used to allow hosts to evaluate certain objects. This change also provides the full code string, the compilation type and the original arguments, to the host hook HostEnsureCanCompileStrings.

nicolo-ribaudo · 2026-04-30T14:04:05Z

Removing the [needs test262 tests] label per the April 2024 discussion (https://github.com/tc39/notes/blob/main/meetings/2024-04/april-10.md#evalnew-function-changes-for-trusted-types-as-normative-pr-or-stage-3) (the change is not easily testable in test262 since it's just about how much info is exposed to hosts, and it's covered by WPT)

Regarding the esmeta failure, it seems like it's checking updated call sites to HostEnsureCanCompileStrings using the old signature of the host hook, rather than the new one from this PR?

nicolo-ribaudo

This PR introduces _sourceStr_ and _codeString_ variables: we'll want to use wither String or Str consistently, but we need to wait for #3837 to decide which one.

--

For other reviewers:

the implementation of HostEnsureCanCompileStrings is at https://w3c.github.io/webappsec-csp/#can-compile-strings
the implementation of HostGetCodeForEval is at https://html.spec.whatwg.org/#hostgetcodeforeval(argument)

nicolo-ribaudo · 2026-04-30T14:10:31Z

+        </h1>
+        <dl class="header">
+          <dt>description</dt>
+          <dd>It allows host environments to return a String of code from _argument_ to be used by eval, rather than eval returning _argument_.</dd>


Suggested change

<dd>It allows host environments to return a String of code from _argument_ to be used by eval, rather than eval returning _argument_.</dd>

<dd>It allows host environments to return a String representing _argument_ to be used as code by eval, rather than eval returning _argument_ as-is.</dd>

nicolo-ribaudo · 2026-04-30T14:11:18Z

+          <dt>description</dt>
+          <dd>It allows host environments to return a String of code from _argument_ to be used by eval, rather than eval returning _argument_.</dd>
+        </dl>
+        <p>_argument_ represents the Object to be checked for code.</p>


I would remove this, it's repeating what the <dl> description says.

nicolo-ribaudo · 2026-04-30T14:18:12Z

+          _parameterStrings_ represents the strings that, when using one of the function constructors, will be concatenated together to build the parameters list.
+          _bodyString_ represents the function body or the string passed to an `eval` call.
+          _codeString_ represents the compiled string for a Function or the string passed to an `eval` call.
+          _parameterArgs_ are the values passed as the leading parameters to one of the Function constructors. _bodyArg_ is either the final parameter passed to one of the Function constructors or the value passed to an `eval` call.


This list is missing _compilationType_.

Also, it's has so many entries now that maybe it should be a <ol> list, even though that's slightly unusual. @tc39/ecma262-editors thoughts?

nicolo-ribaudo · 2026-04-30T15:54:05Z

@jhnaldo This PR will need a corresponding update in https://github.com/es-meta/esmeta/blob/main/src/main/resources/manuals/funcs/HostEnsureCanCompileStrings.ir.

Should we add this to esmeta-ignore.json for now, so that ESMeta can be updated after that this PR is merged, or is it possible somehow for ESMeta to typecheck both this PR and what's currently on main?

lukewarlow mentioned this pull request Mar 7, 2024

Finalize the integrations that guard eval & Function.constructor w3c/trusted-types#207

Closed

This comment was marked as outdated.

Sign in to view

caridy reviewed Mar 7, 2024

View reviewed changes

Comment thread spec.html

This was referenced Mar 14, 2024

Include the string to be compiled in the call to HostEnsureCanCompileStrings #938

Open

HostEnsureCanCompileStrings definition mismatch whatwg/html#10202

Closed

Update handling of timer functions w3c/trusted-types#481

Merged

nicolo-ribaudo mentioned this pull request Mar 15, 2024

Update HostEnsureCanCompileStrings definition whatwg/html#10204

Merged

michaelficarra reviewed Apr 5, 2024

View reviewed changes