Add trusted-types-eval source expression for script-src#665
Merged
lukewarlow merged 1 commit intow3c:mainfrom Jan 15, 2025
Merged
Add trusted-types-eval source expression for script-src#665lukewarlow merged 1 commit intow3c:mainfrom
trusted-types-eval source expression for script-src#665lukewarlow merged 1 commit intow3c:mainfrom
Conversation
lukewarlow
force-pushed
the
script-src-trusted-eval
branch
from
3a0f58d to
8444566
Compare
Member
Author
|
cc @otherdaniel @koto to gather Google feedback. Mozilla Position Request: mozilla/standards-positions#1032 WebKit Position Request: WebKit/standards-positions#355 |
annevk
reviewed
May 31, 2024
lukewarlow
force-pushed
the
script-src-trusted-eval
branch
from
8444566 to
824fce9
Compare
lukewarlow
changed the title
trusted-eval source expression for script-srctrusted-types-eval source expression for script-src
lukewarlow
force-pushed
the
script-src-trusted-eval
branch
from
824fce9 to
1ed7bc6
Compare
lukewarlow
force-pushed
the
script-src-trusted-eval
branch
2 times, most recently
from
ad31238 to
5b4509b
Compare
Member
Author
|
@mikewest if you've got time it'd be brilliant to get an editorial review of this too. Still waiting on some browser positions so won't merge yet. |
lukewarlow
force-pushed
the
script-src-trusted-eval
branch
from
5b4509b to
b6e3a19
Compare
This new keyword allows enabling eval only when trusted types are enforced. Such that in browsers that don't support trusted types no eval is allowed.
lukewarlow
force-pushed
the
script-src-trusted-eval
branch
from
b6e3a19 to
29f6b70
Compare
Member
Author
|
Failing pipeline here seems to be related to a change already merged, rather than this PR. For now I'll leave it "broken" but happy to address if that's desired. Made a WebKit PR at WebKit/WebKit#38741 so would be good to get this PR merged. Given the above standards positions is there a process for requesting review and approval like whatwg has? |
mikewest
approved these changes
Jan 9, 2025
Member
mikewest
left a comment
mikewest
left a comment
There was a problem hiding this comment.
We're working on defining the process for updating this spec, and I do hope we'll land on something similar to WHATWG's.
That said, we discussed this specific item at TPAC (https://github.com/w3c/webappsec/blob/main/meetings/2024/2024-09-26-TPAC-minutes.md#trusted-types-eval), there are positive signals from WebKit (WebKit/standards-positions#355), and Mozilla (mozilla/standards-positions#1032). I think whatever process we end up with would accept that as Good Enough™.
With that in mind, I'm comfortable landing this prior to solidifying a new process. @dveditz, WDYT?
Member
Author
|
Based on todays meeting I'm going to go ahead and merge this. Thanks for the reviews. |
lando-worker Bot
pushed a commit
to mozilla-firefox/firefox
that referenced
this pull request
Sep 3, 2025
…smaug See w3c/webappsec-csp#665 Differential Revision: https://phabricator.services.mozilla.com/D263352
moz-wptsync-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Sep 3, 2025
See w3c/webappsec-csp#665 Differential Revision: https://phabricator.services.mozilla.com/D263352 bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1940493 gecko-commit: 95bc6cee58f879df3c2dfb431be9dc6dd5735cd9 gecko-reviewers: smaug
moz-wptsync-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Sep 3, 2025
See w3c/webappsec-csp#665 Differential Revision: https://phabricator.services.mozilla.com/D263352 bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1940493 gecko-commit: 95bc6cee58f879df3c2dfb431be9dc6dd5735cd9 gecko-reviewers: smaug
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified-and-comments-removed
that referenced
this pull request
Sep 8, 2025
…smaug See w3c/webappsec-csp#665 Differential Revision: https://phabricator.services.mozilla.com/D263352 UltraBlame original commit: 95bc6cee58f879df3c2dfb431be9dc6dd5735cd9
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-comments-removed
that referenced
this pull request
Sep 8, 2025
…smaug See w3c/webappsec-csp#665 Differential Revision: https://phabricator.services.mozilla.com/D263352 UltraBlame original commit: 95bc6cee58f879df3c2dfb431be9dc6dd5735cd9
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified
that referenced
this pull request
Sep 8, 2025
…smaug See w3c/webappsec-csp#665 Differential Revision: https://phabricator.services.mozilla.com/D263352 UltraBlame original commit: 95bc6cee58f879df3c2dfb431be9dc6dd5735cd9
mertcanaltin
pushed a commit
to mertcanaltin/wpt
that referenced
this pull request
Oct 26, 2025
See w3c/webappsec-csp#665 Differential Revision: https://phabricator.services.mozilla.com/D263352 bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1940493 gecko-commit: 95bc6cee58f879df3c2dfb431be9dc6dd5735cd9 gecko-reviewers: smaug
ajperel
pushed a commit
to chromium/chromium
that referenced
this pull request
Dec 17, 2025
`script-src 'trusted-types-eval'` exempts `eval` from Trusted Types checks, when Trusted Types is enforced. When Trusted Types is not enforced, this directive has no effect. Guarded by the "TrustedTypesHTML" flag. Spec: w3c/webappsec-csp#665 Bug: 388437274 Change-Id: Ided5fd680b0fee1782148b48cdcc7705f2e745ef Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7207201 Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Nate Chapin <japhet@chromium.org> Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org> Reviewed-by: Yifan Luo <lyf@chromium.org> Cr-Commit-Position: refs/heads/main@{#1559976}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This new keyword allows enabling eval only when trusted types are enforced. Such that in browsers that don't support trusted types no eval is allowed, unlike with
unsafe-eval. This concept was brought up at previous WebAppSec WG meetings.Implementor Interest:
Mozilla (see New
trusted-types-evalkeyword for CSP script-src mozilla/standards-positions#1032)WebKit (see New
trusted-types-evalkeyword for CSP script-src WebKit/standards-positions#355)Chromium - Not sure how best to get an official Google position but Lukas is supportive per New
trusted-types-evalkeyword for CSP script-src WebKit/standards-positions#355 (comment)Implementation Bugs:
Preview | Diff