Add new trusted-eval source expression to 'script-src' directive.#473
Closed
lukewarlow wants to merge 1 commit intow3c:mainfrom
Closed
Add new trusted-eval source expression to 'script-src' directive.#473lukewarlow wants to merge 1 commit intow3c:mainfrom
trusted-eval source expression to 'script-src' directive.#473lukewarlow wants to merge 1 commit intow3c:mainfrom
Conversation
Member
Author
|
This is not part of v1 of trusted types and as such is not covered by any existing standards positions. So we'll need to file positions separately when the time comes. |
lukewarlow
commented
Mar 12, 2024
|
|
||
| 1. <ins>If |sourceString| is not equal to |source|, throw an {{EvalError}}.</ins> | ||
|
|
||
| 1. <ins>Let |requireTrustedTypes| be the result of executing [$Does sink type require trusted types?$] algorithm, |
Member
Author
There was a problem hiding this comment.
As currently written this doesn't deal with the case where script-src is in enforcement mode but requre-trusted-types-for isn't.
lukewarlow
commented
Mar 12, 2024
| 3. If |source-list| is not `null`, and does not contain a [=source expression=] which is | ||
| an [=ASCII case-insensitive=] match for the string "<a grammar>`'unsafe-eval'`</a>" then: | ||
| 3. If |source-list| is not `null`, then: | ||
| 1. <ins>If |requireTrustedTypes| and |source-list| contains a [=source expression=] which is |
Member
Author
There was a problem hiding this comment.
Perhaps rather than doing the requireTrustedTypes check here, we should use trusted-eval as an enforcement mechanism. So it implies require-trusted-types-for in the eval context?
Not sure if that's good or bad just an idea.
This allows removal of 'unsafe-eval' keyword provided you enforce trusted types and replace it with 'trusted-eval'.
lukewarlow
force-pushed
the
trusted-eval
branch
from
aad013d to
3538217
Compare
Member
Author
|
Going to close this and move it as a PR against CSP itself. |
Member
Author
|
MOved to w3c/webappsec-csp#665 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #221 and #143
This allows removal of 'unsafe-eval' keyword provided you enforce trusted types and replace it with 'trusted-eval'.
Preview | Diff