Skip to content

Commit

Permalink
Add trusted-types-eval source expression for script-src
Browse files Browse the repository at this point in the history
This new keyword allows enabling eval only when trusted types are enforced. Such that in browsers that don't support trusted types no eval is allowed.
  • Loading branch information
lukewarlow committed Sep 9, 2024
1 parent ce17e10 commit 5b4509b
Showing 1 changed file with 16 additions and 6 deletions.
22 changes: 16 additions & 6 deletions index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -699,7 +699,7 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
<dfn>keyword-source</dfn> = "<dfn>'self'</dfn>" / "<dfn>'unsafe-inline'</dfn>" / "<dfn>'unsafe-eval'</dfn>"
/ "<dfn>'strict-dynamic'</dfn>" / "<dfn>'unsafe-hashes'</dfn>" /
/ "<dfn>'report-sample'</dfn>" / "<dfn>'unsafe-allow-redirects'</dfn>"
/ "<dfn>'wasm-unsafe-eval'</dfn>"
/ "<dfn>'wasm-unsafe-eval'</dfn>" / "<dfn>'trusted-types-eval'</dfn>"

ISSUE: Bikeshed `unsafe-allow-redirects`.

Expand Down Expand Up @@ -1456,6 +1456,8 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/

1. Let |sourceString| be |codeString|.

1. Let |requireTrustedTypes| be `false`.

1. Else:

1. Let |compilationSink| be "Function" if |compilationType| is "`FUNCTION`", and "Eval" otherwise.
Expand Down Expand Up @@ -1504,9 +1506,17 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
Otherwise if |policy| contains a [=directive=] whose [=directive/name=] is
"`default-src`", then set |source-list| to that directive's [=directive/value=].

3. If |source-list| is not null, and does not contain a [=source expression=] which is
an [=ASCII case-insensitive=] match for the string "<a grammar>`'unsafe-eval'`</a>",
then:
1. If |source-list| is not null:

1. Let |trustedTypesRequired| be the result of executing [$Does sink type require trusted types?$], with
|realm|, `'script'`, and `false`.

1. If |trustedTypesRequired| is `true` and |source-list| contains a [=source expression=] which is an
[=ASCII case-insensitive=] match for the string "<a grammar>`'trusted-types-eval'`</a>", then skip the
following steps.

1. If |source-list| contains a [=source expression=] which is an [=ASCII case-insensitive=] match for the
string "<a grammar>`'unsafe-eval'`</a>", then skip the following steps.

1. Let |violation| be the result of executing [[#create-violation-for-global]] on
|global|, |policy|, and "`script-src`".
Expand Down Expand Up @@ -2782,8 +2792,8 @@ this algorithm returns normally if compilation is allowed, and throws a
<a grammar>nonce-source</a> or a <a grammar>hash-source</a> that matches
the inline block.

4. The following JavaScript execution sinks are gated on the "`unsafe-eval`"
source expression:
4. The following JavaScript execution sinks are gated on the "`unsafe-eval`" and "`trusted-types-eval`"
source expressions:

* {{eval()}}
* {{Function()}}
Expand Down

0 comments on commit 5b4509b

Please sign in to comment.