Skip to content

Update EnsureCSPDoesNotBlockStringCompilation to match updated HostEnsureCanCompileStrings definition #650

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
annevk merged 5 commits into from
Jun 13, 2024
Merged

Update EnsureCSPDoesNotBlockStringCompilation to match updated HostEnsureCanCompileStrings definition #650

Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
961e959
Update EnsureCSPDoesNotBlockStringCompilation to match updated HostEn…
lukewarlow Mar 14, 2024
e0e7778
Re-add |source|
lukewarlow Apr 23, 2024
76997e0
Update |source| to |codeString|
lukewarlow Jun 11, 2024
bef0e49
Fix build error
lukewarlow Jun 13, 2024
a078c7f
Add missing compilationType from unused note
lukewarlow Jun 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 22 additions & 5 deletions index.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1442,13 +1442,32 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
to determine whether such compilation ought to be blocked.

<h4 id="can-compile-strings" algorithm dfn export>
EnsureCSPDoesNotBlockStringCompilation(|realm|, |source|)
EnsureCSPDoesNotBlockStringCompilation(|realm|, |parameterStrings|, |bodyString|, |compilationType|, |parameterArgs|, |bodyArg|)
</h4>

Given a <a>realm</a> |realm| and a string |source|, this algorithm
Given a <a>realm</a> |realm|, a list of strings |parameterStrings|, a string |bodyString|, an enum (|compilationType|),
a list of ECMAScript language values (|parameterArgs|), and an ECMAScript language value (|bodyArg|), this algorithm
returns normally if string compilation is allowed, and throws an "`EvalError`"
if not:

1. Let |source| be |bodyString|.

1. If |compilationType| is `*FUNCTION*`:

1. Set |source| to `"function anonymous("`
Copy link
Copy Markdown
Member Author

@lukewarlow lukewarlow Apr 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TC39 didn't approve passing through the compiled code string so instead we reconstruct it here.

This matches WebKit and Firefox but Chromium currently wraps the entire string in () brackets.

This also doesn't have the context of whether it's an async function or generator, so this is a change in that regard but the usage of their constructors is probably very low (cc @nicolo-ribaudo)

Copy link
Copy Markdown
Member

@annevk annevk Apr 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you link the discussion?

Not sure who has to approve this for Chromium. @andypaicu and @mikewest maybe?

Copy link
Copy Markdown
Member Author

@lukewarlow lukewarlow Apr 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the delay on getting back to this. The discussion isn't published yet (I think soon?).

After a bit of a back and forth it turns out the reasoning behind the objection was flawed and so we're going to ask (I don't forsee there being push back personally) them to change it in the next plenary. In the mean time I'll change this spec PR (and HTMLs) to assume it does get passed through. Given CSP at least is already "broken" in that regard it doesn't seem bad to continue it for a bit longer till we get the tc39 side updated.

Copy link
Copy Markdown
Member Author

@lukewarlow lukewarlow Apr 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given this is well defined in ECMA262 it would be interesting to see where the discrepency in Chrome comes from and whether there's test coverage for that particular aspect.


1. For each |arg| in |parameterStrings|:

1. Append |arg| to |source|.

1. If |arg| is not the last item of |parameterStrings|, append `","` to |source|.

1. Append `"\n) {\n"` to |source|.

1. Append |bodyString| to |source|.

1. Append `"\n}"` to |source|.

1. Let |result| be "`Allowed`".

2. Let |global| be |realm|'s [=realm/global object=].
Expand Down Expand Up @@ -1483,9 +1502,7 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/

4. If |result| is "`Blocked`", throw an `EvalError` exception.

ISSUE(tc39/ecma262#938): {{HostEnsureCanCompileStrings()}} does not include the string which is
going to be compiled as a parameter. We'll also need to update HTML to pipe that value through
to CSP.
Note: |parameterArgs| and |bodyArg| are currently unused. They are included for future use.

<h3 id="wasm-integration">Integration with WebAssembly</h3>

Expand Down