From 3a0f58d25a29184371e33f15af23ed6b096881e9 Mon Sep 17 00:00:00 2001
From: Luke Warlow <lwarlow@igalia.com>
Date: Tue, 28 May 2024 14:50:27 +0100
Subject: [PATCH] Add `trusted-eval` source expression for `script-src`

This new keyword allows enabling eval only when trusted types are enforced. Such that in browsers that don't support trusted types no eval is allowed.
---
 index.bs | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/index.bs b/index.bs
index 859bcb58a7..bc4533972a 100644
--- a/index.bs
+++ b/index.bs
@@ -697,7 +697,7 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
     <dfn>keyword-source</dfn> = "<dfn>'self'</dfn>" / "<dfn>'unsafe-inline'</dfn>" / "<dfn>'unsafe-eval'</dfn>"
                      / "<dfn>'strict-dynamic'</dfn>" / "<dfn>'unsafe-hashes'</dfn>" /
                      / "<dfn>'report-sample'</dfn>" / "<dfn>'unsafe-allow-redirects'</dfn>"
-                     / "<dfn>'wasm-unsafe-eval'</dfn>"
+                     / "<dfn>'wasm-unsafe-eval'</dfn>" / "<dfn>'trusted-eval'</dfn>"
 
     ISSUE: Bikeshed `unsafe-allow-redirects`.
 
@@ -1454,6 +1454,8 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
 
       1.  Let |sourceString| be |source|.
 
+      1.  Let |requireTrustedTypes| be `false`.
+
   1.  Else:
 
       1.  Let |compilationSink| be `"Function"` if |compilationType| is `*FUNCTION*`, otherwise `"Eval"`.
@@ -1503,9 +1505,17 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
           Otherwise if |policy| contains a [=directive=] whose [=directive/name=] is
           "`default-src`", then set |source-list| to that directive's [=directive/value=].
 
-      3.  If |source-list| is not null, and does not contain a [=source expression=] which is
-          an [=ASCII case-insensitive=] match for the string "<a grammar>`'unsafe-eval'`</a>",
-          then:
+      1.  If |source-list| is not null:
+
+          1.  Let |reportOnlyMode| be true if |policy|'s [=policy/disposition=] is "`report`", false otherwise.
+
+          1.  If the result of executing [$Does sink type require trusted types?$], with |realm|, `'script'`, and
+              |reportOnlyMode| is true and |source-list| contains a [=source expression=] which is an
+              [=ASCII case-insensitive=] match for the string "<a grammar>`'trusted-eval'`</a>", then skip the following
+              steps.
+
+          1.  If |source-list| contains a [=source expression=] which is an [=ASCII case-insensitive=] match for the
+              string "<a grammar>`'unsafe-eval'`</a>", then skip the following steps.
 
           1.  Let |violation| be the result of executing [[#create-violation-for-global]] on
               |global|, |policy|, and "`script-src`".
@@ -1518,8 +1528,7 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
 
           4.  Execute [[#report-violation]] on |violation|.
 
-          5.  If |policy|'s [=policy/disposition=] is "`enforce`", then set |result| to
-              "`Blocked`".
+          5.  If |reportOnlyMode| is false, then set |result| to "`Blocked`".
 
   4.  If |result| is "`Blocked`", throw an `EvalError` exception.
 
@@ -2781,8 +2790,8 @@ this algorithm returns normally if compilation is allowed, and throws a
       <a grammar>nonce-source</a> or a <a grammar>hash-source</a> that matches
       the inline block.
 
-  4.  The following JavaScript execution sinks are gated on the "`unsafe-eval`"
-      source expression:
+  4.  The following JavaScript execution sinks are gated on the "`unsafe-eval`" and "`trusted-eval`"
+      source expressions:
 
       *   {{eval()}}
       *   {{Function()}}