Implement Trusted Types support for HostGetCodeForEval() / HostEnsureCanCompileStrings() / eval() / function constructor
Categories
(Core :: JavaScript Engine, task, P3)
Tracking
()
People
(Reporter: fredw, Assigned: fredw)
References
(Depends on 1 open bug, Blocks 2 open bugs)
Details
Attachments
(2 files, 3 obsolete files)
The Dynamic Code Brand Checks defines a HostGetCodeForEval()
function that defaults to returning NO-CODE: https://tc39.es/proposal-dynamic-code-brand-checks/#sec-hostgetcodeforeval
But the HTML spec overrides it to handle TrustedScript
objects: https://html.spec.whatwg.org/multipage/webappapis.html#hostgetcodeforeval(argument)
(I guess situation is similar to https://searchfox.org/mozilla-central/rev/30afd6631333bf83d5c62ca48c313d96a21b4bbd/js/src/proxy/Proxy.cpp#1046)
I'm making this depend on bug 1905239 as I assume we need the JS implementation first. I'm not quite sure either which component this bug should belong to.
I was not able to find any WPT test for HostGetCodeForEval + TrustedType.
Assignee | ||
Comment 1•27 days ago
|
||
Reading the spec Dynamic Code Brand Checks more carefully, I understand PerformEval and CreateDynamicFunction calls HostEnsureCanCompileStrings which is modified by the HTML spec to perform EnsureCSPDoesNotBlockStringCompilation, which then has special code for trusted types.
Spec:
https://tc39.es/proposal-dynamic-code-brand-checks/
https://html.spec.whatwg.org/multipage/webappapis.html#hostensurecancompilestrings(realm,-parameterstrings,-bodystring,-codestring,-compilationtype,-parameterargs,-bodyarg)
https://w3c.github.io/webappsec-csp/#can-compile-strings
Tests: https://searchfox.org/mozilla-central/source/testing/web-platform/tests/trusted-types/ contains many tests for eval and function constructors.
Assignee | ||
Comment 2•23 days ago
|
||
(In reply to Frédéric Wang (:fredw) from comment #1)
Reading the spec Dynamic Code Brand Checks more carefully, I understand PerformEval and CreateDynamicFunction calls HostEnsureCanCompileStrings which is modified by the HTML spec to perform EnsureCSPDoesNotBlockStringCompilation, which then has special code for trusted types.
I wrote down ECMAScript changes on bug 1905239 comment 1. In addition, the HTML changes at
https://html.spec.whatwg.org/#hostensurecancompilestrings(realm,-parameterstrings,-bodystring,-codestring,-compilationtype,-parameterargs,-bodyarg)
https://w3c.github.io/webappsec-csp/#can-compile-strings
seem to be handled in https://searchfox.org/mozilla-central/rev/b477cd37e845005dac8881427fa06a2771d993db/dom/workers/RuntimeService.cpp#502 and we would need to add trusted type support there.
We would also need to do the tweak suggested in
https://html.spec.whatwg.org/multipage/webappapis.html#hostgetcodeforeval(argument)
when HostGetCodeForEval
is introduced in bug 1905239.
Assignee | ||
Comment 3•22 days ago
|
||
Updated•22 days ago
|
Updated•21 days ago
|
Assignee | ||
Comment 4•21 days ago
|
||
Updated•21 days ago
|
Updated•20 days ago
|
Updated•19 days ago
|
Assignee | ||
Comment 5•15 days ago
|
||
Assignee | ||
Comment 6•14 days ago
|
||
Updated•14 days ago
|
Updated•14 days ago
|
Updated•14 days ago
|
Updated•14 days ago
|
Updated•13 days ago
|
Updated•13 days ago
|
Updated•12 days ago
|
Updated•12 days ago
|
Comment 7•11 days ago
|
||
Comment on attachment 9440166 [details]
Bug 1931288 - Add more tests for EnsureCSPDoesNotBlockStringCompilation. r=#dom-core,smaug
Revision D230369 was moved to bug 1934373. Setting attachment 9440166 [details] to obsolete.
Assignee | ||
Comment 8•9 days ago
|
||
Updated•7 days ago
|
Updated•6 days ago
|
Updated•5 days ago
|
Updated•5 days ago
|
Comment 9•2 days ago
|
||
Comment on attachment 9441002 [details]
WIP: Bug 1931288 - Strip "function anonymous" prefixes from Function samples. r=smaug
Revision D230756 was moved to bug 1919729. Setting attachment 9441002 [details] to obsolete.
Updated•1 day ago
|
Updated•1 day ago
|
Updated•1 day ago
|
Updated•1 day ago
|
Description
•