Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Normative: Provide source text to HostEnsureCanCompileStrings #3222

Merged
merged 1 commit into from
Feb 14, 2024
Merged

Normative: Provide source text to HostEnsureCanCompileStrings #3222

merged 1 commit into from
Feb 14, 2024
+19 −10

Commits on Feb 14, 2024

  1. Normative: Provide source text to HostEnsureCanCompileStrings (tc39#3222 

    )

This change provides the source text to be evaluated, and the grammar
symbol that should be used to parse it, to the host hook
HostEnsureCanCompileStrings.

One example of where this is needed is for allowing a Content Security
Policy to provide hashes for code executed via `eval()` or
`new Function()`:
w3c/webappsec-csp#623
This is useful on its own, but has come up again in the topic of
ShadowRealm-HTML integration. In a ShadowRealm you can either execute code
asynchronously, with ShadowRealm.p.importValue, or synchronously, with
ShadowRealm.p.evaluate. Because the latter uses `eval()` inside the
ShadowRealm, it's subject to CSP rules, so the only CSP policy that will
let you execute synchronously in the realm is `unsafe-eval`.

This is a separate needs-consensus PR, rather than being part of the
ShadowRealm proposal, because it's useful independently of ShadowRealm,
and also ShadowRealm would go forward regardless of whether this goes
forward.

Prior art: https://github.com/tc39/proposal-dynamic-code-brand-checks
    @ptomato @ljharb
    ptomato authored and ljharb committed Feb 14, 2024
    Configuration menu
    Copy the full SHA
    b07ca06 View commit details
    Browse the repository at this point in the history