Open Bug 1940493 Opened 2 months ago Updated 1 month ago

Implement trusted-types-eval CSP script-src keyword

Categories

(Core :: DOM: Security, enhancement)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

People

(Reporter: lwarlow, Unassigned)

References

(Blocks 1 open bug)

Details

Implement a new keyword for the script-src CSP header called, 'trusted-types-eval'

This new header allows sites to opt into allowing eval in browsers that support and enforce trusted types (And this new keyword), and disable eval in older browsers that don't guarantee that protection.

See spec PR at https://github.com/w3c/webappsec-csp/pull/665

See Mozilla standards position at: https://github.com/mozilla/standards-positions/issues/1032

See bug 1936014 comment 5 for comments related to Gecko's optimization.

You need to log in before you can comment on or make changes to this bug.