Open Bug 1931288 Opened 27 days ago Updated 9 hours ago

Implement Trusted Types support for HostGetCodeForEval() / HostEnsureCanCompileStrings() / eval() / function constructor

Categories

(Core :: JavaScript Engine, task, P3)

task

Tracking

()

ASSIGNED

People

(Reporter: fredw, Assigned: fredw)

References

(Depends on 1 open bug, Blocks 2 open bugs)

Details

Attachments

(2 files, 3 obsolete files)

The Dynamic Code Brand Checks defines a HostGetCodeForEval() function that defaults to returning NO-CODE: https://tc39.es/proposal-dynamic-code-brand-checks/#sec-hostgetcodeforeval

But the HTML spec overrides it to handle TrustedScript objects: https://html.spec.whatwg.org/multipage/webappapis.html#hostgetcodeforeval(argument)

(I guess situation is similar to https://searchfox.org/mozilla-central/rev/30afd6631333bf83d5c62ca48c313d96a21b4bbd/js/src/proxy/Proxy.cpp#1046)

I'm making this depend on bug 1905239 as I assume we need the JS implementation first. I'm not quite sure either which component this bug should belong to.

I was not able to find any WPT test for HostGetCodeForEval + TrustedType.

Blocks: 1916956

Reading the spec Dynamic Code Brand Checks more carefully, I understand PerformEval and CreateDynamicFunction calls HostEnsureCanCompileStrings which is modified by the HTML spec to perform EnsureCSPDoesNotBlockStringCompilation, which then has special code for trusted types.

Spec:
https://tc39.es/proposal-dynamic-code-brand-checks/
https://html.spec.whatwg.org/multipage/webappapis.html#hostensurecancompilestrings(realm,-parameterstrings,-bodystring,-codestring,-compilationtype,-parameterargs,-bodyarg)
https://w3c.github.io/webappsec-csp/#can-compile-strings

Tests: https://searchfox.org/mozilla-central/source/testing/web-platform/tests/trusted-types/ contains many tests for eval and function constructors.

Summary: Implement Trusted Types support for HostGetCodeForEval() → Implement Trusted Types support for HostGetCodeForEval() / HostEnsureCanCompileStrings() / eval() / function constructor

(In reply to Frédéric Wang (:fredw) from comment #1)

Reading the spec Dynamic Code Brand Checks more carefully, I understand PerformEval and CreateDynamicFunction calls HostEnsureCanCompileStrings which is modified by the HTML spec to perform EnsureCSPDoesNotBlockStringCompilation, which then has special code for trusted types.

I wrote down ECMAScript changes on bug 1905239 comment 1. In addition, the HTML changes at

https://html.spec.whatwg.org/#hostensurecancompilestrings(realm,-parameterstrings,-bodystring,-codestring,-compilationtype,-parameterargs,-bodyarg)
https://w3c.github.io/webappsec-csp/#can-compile-strings

seem to be handled in https://searchfox.org/mozilla-central/rev/b477cd37e845005dac8881427fa06a2771d993db/dom/workers/RuntimeService.cpp#502 and we would need to add trusted type support there.

We would also need to do the tweak suggested in

https://html.spec.whatwg.org/multipage/webappapis.html#hostgetcodeforeval(argument)

when HostGetCodeForEval is introduced in bug 1905239.

Severity: -- → N/A
Priority: -- → P3
Attachment #9438514 - Attachment description: WIP: Bug 1931288 - Implement HostGetCodeForEval() hook as per the HTML spec. → WIP: Bug 1931288 - Implement HostGetCodeForEval() hook as per the HTML spec. r=smaug,#dom-core
Attachment #9438818 - Attachment description: WIP: Bug 1931288 - Implement EnsureCSPDoesNotBlockStringCompilation for eval. → WIP: Bug 1931288 - Implement EnsureCSPDoesNotBlockStringCompilation for eval (Window global object).
Attachment #9438514 - Attachment description: WIP: Bug 1931288 - Implement HostGetCodeForEval() hook as per the HTML spec. r=smaug,#dom-core → WIP: Bug 1931288 - Implement HostGetCodeForEval() hook as per the HTML spec.
Attachment #9438818 - Attachment description: WIP: Bug 1931288 - Implement EnsureCSPDoesNotBlockStringCompilation for eval (Window global object). → WIP: Bug 1931288 - Implement EnsureCSPDoesNotBlockStringCompilation as per CSP spec.
Attachment #9439930 - Attachment is obsolete: true
Assignee: nobody → fwang
Attachment #9438514 - Attachment description: WIP: Bug 1931288 - Implement HostGetCodeForEval() hook as per the HTML spec. → Bug 1931288 - Implement HostGetCodeForEval() hook as per the HTML spec. r=#dom-core,smaug,bholley
Status: NEW → ASSIGNED
Attachment #9440166 - Attachment description: WIP: Bug 1931288 - Add more tests for EnsureCSPDoesNotBlockStringCompilation → Bug 1931288 - Add more tests for EnsureCSPDoesNotBlockStringCompilation. r=#dom-core,smaug
Attachment #9438818 - Attachment description: WIP: Bug 1931288 - Implement EnsureCSPDoesNotBlockStringCompilation as per CSP spec. → Bug 1931288 - Implement EnsureCSPDoesNotBlockStringCompilation as per CSP spec. r=#dom-core,smaug,bholley
Attachment #9438514 - Attachment description: Bug 1931288 - Implement HostGetCodeForEval() hook as per the HTML spec. r=#dom-core,smaug,bholley → Bug 1931288 - Implement HostGetCodeForEval() hook as per the HTML spec. r=#dom-core,smaug
Attachment #9438818 - Attachment description: Bug 1931288 - Implement EnsureCSPDoesNotBlockStringCompilation as per CSP spec. r=#dom-core,smaug,bholley → Bug 1931288 - Implement EnsureCSPDoesNotBlockStringCompilation as per CSP spec. r=#dom-core,smaug
Attachment #9438818 - Attachment description: Bug 1931288 - Implement EnsureCSPDoesNotBlockStringCompilation as per CSP spec. r=#dom-core,smaug → WIP: Bug 1931288 - Implement EnsureCSPDoesNotBlockStringCompilation as per CSP spec. r=#dom-core,smaug
Attachment #9438818 - Attachment description: WIP: Bug 1931288 - Implement EnsureCSPDoesNotBlockStringCompilation as per CSP spec. r=#dom-core,smaug → Bug 1931288 - Implement EnsureCSPDoesNotBlockStringCompilation as per CSP spec. r=#dom-core,smaug
Depends on: 1934373

Comment on attachment 9440166 [details]
Bug 1931288 - Add more tests for EnsureCSPDoesNotBlockStringCompilation. r=#dom-core,smaug

Revision D230369 was moved to bug 1934373. Setting attachment 9440166 [details] to obsolete.

Attachment #9440166 - Attachment is obsolete: true
Depends on: 1934569
Attachment #9438818 - Attachment description: Bug 1931288 - Implement EnsureCSPDoesNotBlockStringCompilation as per CSP spec. r=#dom-core,smaug → WIP: Bug 1931288 - Implement EnsureCSPDoesNotBlockStringCompilation as per CSP spec. r=#dom-core,smaug
Attachment #9438818 - Attachment description: WIP: Bug 1931288 - Implement EnsureCSPDoesNotBlockStringCompilation as per CSP spec. r=#dom-core,smaug → Bug 1931288 - Implement EnsureCSPDoesNotBlockStringCompilation as per CSP spec. r=#dom-core,smaug
Depends on: 1935594
Attachment #9438514 - Attachment description: Bug 1931288 - Implement HostGetCodeForEval() hook as per the HTML spec. r=#dom-core,smaug → WIP: Bug 1931288 - Implement HostGetCodeForEval() hook as per the HTML spec. r=#dom-core,smaug
Attachment #9438818 - Attachment description: Bug 1931288 - Implement EnsureCSPDoesNotBlockStringCompilation as per CSP spec. r=#dom-core,smaug → WIP: Bug 1931288 - Implement EnsureCSPDoesNotBlockStringCompilation as per CSP spec. r=#dom-core,smaug

Comment on attachment 9441002 [details]
WIP: Bug 1931288 - Strip "function anonymous" prefixes from Function samples. r=smaug

Revision D230756 was moved to bug 1919729. Setting attachment 9441002 [details] to obsolete.

Attachment #9441002 - Attachment is obsolete: true
Attachment #9438514 - Attachment description: WIP: Bug 1931288 - Implement HostGetCodeForEval() hook as per the HTML spec. r=#dom-core,smaug → Bug 1931288 - Implement HostGetCodeForEval() hook as per the HTML spec. r=#dom-core,smaug
Attachment #9438514 - Attachment description: Bug 1931288 - Implement HostGetCodeForEval() hook as per the HTML spec. r=#dom-core,smaug → WIP: Bug 1931288 - Implement HostGetCodeForEval() hook as per the HTML spec. r=#dom-core,smaug
Attachment #9438514 - Attachment description: WIP: Bug 1931288 - Implement HostGetCodeForEval() hook as per the HTML spec. r=#dom-core,smaug → Bug 1931288 - Implement HostGetCodeForEval() hook as per the HTML spec. r=#dom-core,smaug
Attachment #9438818 - Attachment description: WIP: Bug 1931288 - Implement EnsureCSPDoesNotBlockStringCompilation as per CSP spec. r=#dom-core,smaug → Bug 1931288 - Implement EnsureCSPDoesNotBlockStringCompilation as per CSP spec. r=#dom-core,smaug
No longer depends on: 1935594
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: