-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Figure out if we need 'trusted-script'
in script-src
#221
Comments
/cc @mikewest , Do you have an opinion here? Essentially, it all boils down to whether |
Pingy ping @mikewest |
I think you're right that |
I'm reopening this issue to restart this conversation. I think something that's been missed in previous considerations is that some use cases might care more about security than compatability.
This lack of backwards compatability is a desired characterstic. Currently to use eval in TT envs you have to add a keyword that means browsers without TT allow you full unmitigated eval. Which is not always desirable. If we added a new |
@lukewarlow thanks for reopening this. we certainly need this resolved to be able to move forward with the regulations in Europe. |
As part of #464 - we get the raw arguments to eval and new Function() so we can ensure they are trusted types which would make this easier |
A worry I have here is that with Trusted Types the definition of trust lies with the website. And while I suppose a website could always bypass its own policies (e.g., to bypass In particular because regulation around security policies might encourage perverse incentives. |
@annevk I think the main incentive here is to prevent evaluation in browsers without TT, as this constitutes a security problem today with no way to mitigate it without introducing UA sniffing. |
Closing this to focus discussions in w3c/webappsec-csp#665 |
trusted-script
keyword is used now forjavascript:
navigations andeval
guarding. Since we've integrated with CSP logic, perhaps the keyword is now superfluous?If a website uses
eval
orjavacsript:
and it usesscript-src
, it needs to set appropriateunsafe-*
keywords anyhow, for browsers with notrusted-types
support.We are close to having working downgrades. See #218 for a working downgrade-to-string for
eval
; forjavascript:
navigation, the default policy will simply not be created, and therefore called.It seems like a combination of
script-src ... 'unsafe-inline' 'unsafe-eval'; trusted-types ...
correctly limits the unsafe behavior to Trusted Types, with a working downgrade to string for non-supporting browsers. IOW,trusted-types
directive adds additional restrictions independent ofscript-src
, which seems to be not violating CSP principles, and is conceptually simpler.cc @mikesamuel @mikewest
The text was updated successfully, but these errors were encountered: