-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
adjustments to HostEnsureCanCompileStrings discard value #144
Comments
AFAICT, there's no fix that satisfies the @mikewest Do you have a sense of how browser implementors might react to replacing language like
with
(tc39/ecma262#1498 defines goal and sourceText.) |
This reworks how `new Function(source)` and `eval(source)` are checked against a CSP and Trusted Types policy. It trusts TrustedScript when the relevant CSP policies and TrustedType configurations agree on whether to enforce and the TrustedType configuration places limits on policy creation. It also changes the previous language to use *calleeRealm* instead of *callerRealm* for consistency with other sinks. > ```js > let f = new self.top.Function(source); > ``` > In this case, the *callerRealm*'s Window is `self` and the > *calleeRealm*'s Window is `self.top`. > The Trusted Types portion of this algorithm uses *calleeRealm* > for consistency with other sinks. > ```js > // Assigning a string to another Realm's DOM sink uses that > // Realm's default policy. > self.top.body.innerHTML = 'Hello, World!'; > // Using another Realm's builtin Function constructor should > // analogously use that > // Realm's default policy. > new self.top.Function('alert(1)')() > ``` It also makes recent versions of `bikeshed` run without warnings. Fixes w3c#143 Issue w3c#144
This reworks how `new Function(source)` and `eval(source)` are checked against a CSP and Trusted Types policy. It trusts TrustedScript when the relevant CSP policies and TrustedType configurations agree on whether to enforce and the TrustedType configuration places limits on policy creation. It also changes the previous language to use *calleeRealm* instead of *callerRealm* for consistency with other sinks. > ```js > let f = new self.top.Function(source); > ``` > In this case, the *callerRealm*'s Window is `self` and the > *calleeRealm*'s Window is `self.top`. > The Trusted Types portion of this algorithm uses *calleeRealm* > for consistency with other sinks. > ```js > // Assigning a string to another Realm's DOM sink uses that > // Realm's default policy. > self.top.body.innerHTML = 'Hello, World!'; > // Using another Realm's builtin Function constructor should > // analogously use that > // Realm's default policy. > new self.top.Function('alert(1)')() > ``` It also makes recent versions of `bikeshed` run without warnings. Fixes w3c#143 Issue w3c#144
Should this be tracked under #207 or the tc39 repos, or do we need this bug separately? |
https://github.com/WICG/trusted-types/blob/1f0e41ff742de43e70261814ac2b2d314b630e1e/spec/index.bs#L1430-L1446
This uses Get Trusted Type compliant string which might apply the default policy.
This is the right thing to do so that applications can provide minimal workarounds for legacy code patterns like
which appears frequently in JS library code.
Uses in the JS spec are written like
The return a value is never used: it either throws or returns normally.
This causes two problems:
x
, notrewriteJavascript(x)
.visible side-effects for values like
The text was updated successfully, but these errors were encountered: