CSP: make available a reliable method for obtaining a reference to the global object #2
Comments
|
From @hillbrad on October 6, 2015 23:39 Is this an ECMAScript issue? On Tue, Oct 6, 2015 at 4:38 PM Michael Ficarra notifications@github.com
|
|
From @michaelficarra on October 7, 2015 0:10 It could be solved from the ECMAScript side, but there's little hope of that happening. All I ask is that this particular pattern (or the |
|
If JavaScript isn't giving you the thing you need in a consistent way, I think you'll need to poke at JavaScript to solve your problem. :( In fact, it's entirely possible that folks would use CSP specifically to prevent you from grabbing access to the global object as part of a larger sandboxing mechanism. I don't think there's much value in carving out loopholes. More practically, I don't think there's a good way to distinguish "safe" usage of |
|
That's a totally reasonable position to have. It just doesn't appear that either side is willing to budge on this one, and legitimate use cases are stuck in limbo until something changes. |
|
FYI, there is now a stage 1 ECMA-262 proposal for exactly this. It has strong committee support. https://github.com/tc39/proposal-global |
|
Closing this out in favor of the JavaScript-side |
* Introduce "Strip URL for use in reports". Omit informations from URLs in reports for: - `blockedURI` - `document-uri` - `referrer` - `source-file` This is the defactor standard implemented in: - [Chrome] with `StripURLForUseInReports(...)` - [Firefox] with `StripURIForReporting(...)` - [Safari] with `deprecatedURLForReporting(...)` The 3 implementations differ slightly. This patch proposes following [Chrome's patch], which help resolve this [user's need]. See also related [firefox issue] and [webappsec-csp issue]. [Chrome]: https://source.chromium.org/search?q=StripURLForUseInReport [Firefox]: https://searchfox.org/mozilla-central/search?q=StripURIForReporting [Safari]: https://github.com/WebKit/WebKit/blob/eea907e63be4676ad5cc56cabe4d00edf109b398/Source/WebCore/page/csp/ContentSecurityPolicy.cpp#L716 [Chrome's patch]: https://chromium-review.googlesource.com/c/chromium/src/+/3263879 [user's need]: https://bugs.chromium.org/p/chromium/issues/detail?id=1264789 [firefox issue]: https://bugzilla.mozilla.org/show_bug.cgi?id=1705523 [webappsec-csp issue]: #489 * Apply suggestions from annevk@ review #1 Co-authored-by: Anne van Kesteren <annevk@annevk.nl> * Address annevk@ comments #2 * Address @annevk comments. * Nit * Switch toward an allowlist * Remove wss/ws/ftp * Update index.bs Co-authored-by: Anne van Kesteren <annevk@annevk.nl> Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
From @michaelficarra on October 6, 2015 23:38
At times, it is necessary to obtain a reference to the global object. In different environments, this object has non-standard, writable self-references:
globalin node,windowin certain browser contexts,selfin other browser contexts, etc. It is not a good practice to rely upon these references. For this reason, a particular pattern using theFunctionconstructor is the only reliable method (of which I'm aware) for obtaining a reference to the global object in any context (strict/sloppy mode, module/script).Because this is a use of the
Functionconstructor, CSP does not allow this pattern without adding'unsafe-eval'to my policy. How can we make an exception to allow this pattern or something equivalent?Copied from original issue: w3c/webappsec#501
The text was updated successfully, but these errors were encountered: