Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add trusted-types-eval source expression for script-src #665

Merged
merged 1 commit into from
Jan 15, 2025
Merged

Add trusted-types-eval source expression for script-src #665

merged 1 commit into from
Jan 15, 2025
+17 −8

Conversation

lukewarlow
Copy link
Member

@lukewarlow lukewarlow commented May 28, 2024
edited by pr-preview bot
Loading

This new keyword allows enabling eval only when trusted types are enforced. Such that in browsers that don't support trusted types no eval is allowed, unlike with unsafe-eval. This concept was brought up at previous WebAppSec WG meetings.

Implementor Interest:

Implementation Bugs:

Preview | Diff

@lukewarlow lukewarlow force-pushed the script-src-trusted-eval branch from 3a0f58d to 8444566 Compare May 28, 2024 13:56
This was referenced May 28, 2024
Closed
Merged
@lukewarlow
Copy link
Member Author

cc @otherdaniel @koto to gather Google feedback.

Mozilla Position Request: mozilla/standards-positions#1032

WebKit Position Request: WebKit/standards-positions#355

annevk
annevk reviewed May 31, 2024
View reviewed changes
index.bs Outdated Show resolved Hide resolved
@lukewarlow lukewarlow force-pushed the script-src-trusted-eval branch from 8444566 to 824fce9 Compare June 18, 2024 12:40
@lukewarlow lukewarlow changed the title Add trusted-eval source expression for script-src Add trusted-types-eval source expression for script-src Jun 18, 2024
@lukewarlow lukewarlow force-pushed the script-src-trusted-eval branch from 824fce9 to 1ed7bc6 Compare June 18, 2024 16:07
@lukewarlow lukewarlow mentioned this pull request Jul 17, 2024
Closed
@lukewarlow lukewarlow force-pushed the script-src-trusted-eval branch 2 times, most recently from ad31238 to 5b4509b Compare September 9, 2024 15:20
@lukewarlow lukewarlow marked this pull request as ready for review September 9, 2024 15:20
@lukewarlow
Copy link
Member Author

@mikewest if you've got time it'd be brilliant to get an editorial review of this too. Still waiting on some browser positions so won't merge yet.

@mikewest mikewest mentioned this pull request Oct 8, 2024
Open
@AlexErrant AlexErrant mentioned this pull request Nov 1, 2024
Closed
@ciaramcmullin ciaramcmullin added the addition/proposal New features or enhancements label Dec 4, 2024
@ciaramcmullin ciaramcmullin added this to the Future milestone Dec 4, 2024
@lukewarlow lukewarlow force-pushed the script-src-trusted-eval branch from 5b4509b to b6e3a19 Compare January 8, 2025 15:48
@lukewarlow
Add trusted-types-eval source expression for script-src
29f6b70 
This new keyword allows enabling eval only when trusted types are enforced. Such that in browsers that don't support trusted types no eval is allowed.
@lukewarlow lukewarlow force-pushed the script-src-trusted-eval branch from b6e3a19 to 29f6b70 Compare January 8, 2025 16:00
@lukewarlow lukewarlow mentioned this pull request Jan 8, 2025
Draft
@lukewarlow
Copy link
Member Author

Failing pipeline here seems to be related to a change already merged, rather than this PR. For now I'll leave it "broken" but happy to address if that's desired.

Made a WebKit PR at WebKit/WebKit#38741 so would be good to get this PR merged. Given the above standards positions is there a process for requesting review and approval like whatwg has?

mikewest
mikewest approved these changes Jan 9, 2025
View reviewed changes
Copy link
Member

@mikewest mikewest left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're working on defining the process for updating this spec, and I do hope we'll land on something similar to WHATWG's.

That said, we discussed this specific item at TPAC (https://github.com/w3c/webappsec/blob/main/meetings/2024/2024-09-26-TPAC-minutes.md#trusted-types-eval), there are positive signals from WebKit (WebKit/standards-positions#355), and Mozilla (mozilla/standards-positions#1032). I think whatever process we end up with would accept that as Good Enough™.

With that in mind, I'm comfortable landing this prior to solidifying a new process. @dveditz, WDYT?

@lukewarlow lukewarlow mentioned this pull request Jan 14, 2025
Merged
@fred-wang fred-wang mentioned this pull request Jan 15, 2025
Open
@lukewarlow
Copy link
Member Author

Based on todays meeting I'm going to go ahead and merge this. Thanks for the reviews.

@lukewarlow lukewarlow merged commit affe7a7 into w3c:main Jan 15, 2025
1 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@annevk annevk annevk left review comments

@mikewest mikewest mikewest approved these changes

Assignees
No one assigned
Labels
addition/proposal New features or enhancements
Projects
None yet
Milestone
Future
Development

Successfully merging this pull request may close these issues.
4 participants
@lukewarlow @mikewest @annevk @ciaramcmullin