Skip to content

Commit

Permalink
Add trusted-eval source expression for script-src
Browse files Browse the repository at this point in the history
This new keyword allows enabling eval only when trusted types are enforced. Such that in browsers that don't support trusted types no eval is allowed.
  • Loading branch information
lukewarlow committed May 28, 2024
1 parent db0b0ce commit 3a0f58d
Showing 1 changed file with 17 additions and 8 deletions.
25 changes: 17 additions & 8 deletions index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -697,7 +697,7 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
<dfn>keyword-source</dfn> = "<dfn>'self'</dfn>" / "<dfn>'unsafe-inline'</dfn>" / "<dfn>'unsafe-eval'</dfn>"
/ "<dfn>'strict-dynamic'</dfn>" / "<dfn>'unsafe-hashes'</dfn>" /
/ "<dfn>'report-sample'</dfn>" / "<dfn>'unsafe-allow-redirects'</dfn>"
/ "<dfn>'wasm-unsafe-eval'</dfn>"
/ "<dfn>'wasm-unsafe-eval'</dfn>" / "<dfn>'trusted-eval'</dfn>"

ISSUE: Bikeshed `unsafe-allow-redirects`.

Expand Down Expand Up @@ -1454,6 +1454,8 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/

1. Let |sourceString| be |source|.

1. Let |requireTrustedTypes| be `false`.

1. Else:

1. Let |compilationSink| be `"Function"` if |compilationType| is `*FUNCTION*`, otherwise `"Eval"`.
Expand Down Expand Up @@ -1503,9 +1505,17 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
Otherwise if |policy| contains a [=directive=] whose [=directive/name=] is
"`default-src`", then set |source-list| to that directive's [=directive/value=].

3. If |source-list| is not null, and does not contain a [=source expression=] which is
an [=ASCII case-insensitive=] match for the string "<a grammar>`'unsafe-eval'`</a>",
then:
1. If |source-list| is not null:

1. Let |reportOnlyMode| be true if |policy|'s [=policy/disposition=] is "`report`", false otherwise.

1. If the result of executing [$Does sink type require trusted types?$], with |realm|, `'script'`, and
|reportOnlyMode| is true and |source-list| contains a [=source expression=] which is an
[=ASCII case-insensitive=] match for the string "<a grammar>`'trusted-eval'`</a>", then skip the following
steps.

1. If |source-list| contains a [=source expression=] which is an [=ASCII case-insensitive=] match for the
string "<a grammar>`'unsafe-eval'`</a>", then skip the following steps.

1. Let |violation| be the result of executing [[#create-violation-for-global]] on
|global|, |policy|, and "`script-src`".
Expand All @@ -1518,8 +1528,7 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/

4. Execute [[#report-violation]] on |violation|.

5. If |policy|'s [=policy/disposition=] is "`enforce`", then set |result| to
"`Blocked`".
5. If |reportOnlyMode| is false, then set |result| to "`Blocked`".

4. If |result| is "`Blocked`", throw an `EvalError` exception.

Expand Down Expand Up @@ -2781,8 +2790,8 @@ this algorithm returns normally if compilation is allowed, and throws a
<a grammar>nonce-source</a> or a <a grammar>hash-source</a> that matches
the inline block.

4. The following JavaScript execution sinks are gated on the "`unsafe-eval`"
source expression:
4. The following JavaScript execution sinks are gated on the "`unsafe-eval`" and "`trusted-eval`"
source expressions:

* {{eval()}}
* {{Function()}}
Expand Down

0 comments on commit 3a0f58d

Please sign in to comment.