CSP: make available a reliable method for obtaining a reference to the global object

[mikewest]

From @michaelficarra on October 6, 2015 23:38

At times, it is necessary to obtain a reference to the global object. In different environments, this object has non-standard, writable self-references: global in node, window in certain browser contexts, self in other browser contexts, etc. It is not a good practice to rely upon these references. For this reason, a particular pattern using the Function constructor is the only reliable method (of which I'm aware) for obtaining a reference to the global object in any context (strict/sloppy mode, module/script).

var honestToGodGlobalObject = Function("return this")();

Because this is a use of the Function constructor, CSP does not allow this pattern without adding 'unsafe-eval' to my policy. How can we make an exception to allow this pattern or something equivalent?

Copied from original issue: w3c/webappsec#501

[mikewest]

From @hillbrad on October 6, 2015 23:39

Is this an ECMAScript issue?

On Tue, Oct 6, 2015 at 4:38 PM Michael Ficarra notifications@github.com
wrote:

At times, it is necessary to obtain a reference to the global object. In
different environments, this object has non-standard, writable
self-references: global in node, window in certain browser contexts, self
in other browser contexts, etc. It is not a good practice to rely upon
these references. For this reason, a particular pattern using the Function
constructor is the only reliable method (of which I'm aware) for obtaining
a reference to the global object in any context (strict/sloppy mode,
module/script).

var honestToGodGlobalObject = Function("return this")();

Because this is a use of the Function constructor, CSP does not allow
this pattern without adding 'unsafe-eval' to my policy. How can we make
an exception to allow this pattern or something equivalent?

—
Reply to this email directly or view it on GitHub
w3c/webappsec#501.

[mikewest]

From @michaelficarra on October 7, 2015 0:10

It could be solved from the ECMAScript side, but there's little hope of that happening. All I ask is that this particular pattern (or the (0, eval)("this") equivalent mentioned in the linked thread) be allowed because of its uncontested utility.

[mikewest]

If JavaScript isn't giving you the thing you need in a consistent way, I think you'll need to poke at JavaScript to solve your problem. :( In fact, it's entirely possible that folks would use CSP specifically to prevent you from grabbing access to the global object as part of a larger sandboxing mechanism. I don't think there's much value in carving out loopholes.

More practically, I don't think there's a good way to distinguish "safe" usage of Function or eval from non-safe usage. What you want is a well-defined global reference, not a pile of hacks.

[michaelficarra]

That's a totally reasonable position to have. It just doesn't appear that either side is willing to budge on this one, and legitimate use cases are stuck in limbo until something changes.

[michaelficarra]

FYI, there is now a stage 1 ECMA-262 proposal for exactly this. It has strong committee support. https://github.com/tc39/proposal-global

[mikewest]

Closing this out in favor of the JavaScript-side global proposal, which looks to be moving along (at stage 3 right now).