Comments (7)
I moved the spec-centric issues to #207. I propose we postpone the polyfilling until after the spec issues are resolved. We won't be able to polyfill everything, so I'm thinking on whether we should attempt to in the TT polyfill, given that we'd likely run into performance, or some stack trace introspection issues. To demonstrate feasibility, we can probably create a Babel plugin. WDYT, @mikesamuel ?
from trusted-types.
I like the Function constructor polyfill. Can we check if this doesn't break existing code?
As for 'eval', I'm afraid that polyfilling it will introduce tricky functional bugs in the applications using the polyfill. I'm not yet convinced this is the right way to go; it might be more fitting to just mention that this is a known gap for the polyfill, and assume that eval
is otherwise sparsely used and easy to find with other means.
from trusted-types.
Can we check if this doesn't break existing code?
Do you want to try out a canary project with the patch?
Or do you want a PR that adds it and some tests.
As for 'eval',
To make sure I understand, Function
can be called implicitly as via ({})['constructor']['constructor'](code)()
, but eval
requires the use of the eval
(unreserved) keyword.
So our polyfill security caveats could recommend banning eval
via linter since the polyfill handles the one that is easy to overlook.
from trusted-types.
I have tried proxying Function
before so have some indication that legacy code doesn't just go up in flames.
I use a Function proxy to restrict dynamic code loading to certain modules in Node.js.
That works with a bunch of legacy Node.js code.
from trusted-types.
OK, that works for Function(). To make sure I understand the eval
concern: we can effectively polyfill window.eval
, but not the operator (because of the scoping difference), but that's a problem, because most of the time the platform will choose the operator in place of the function. I think this may cause the polyfill to introduce functional bugs that are tricky to debug.
That's an implementation concern and I'm OK for the polyfill to cover less sinks than the native implementation if the alternative is to break applications in confusing ways. That said, for now I think we have to pause this anyway - as the Chrome implementation doesn't yet cover Function()
nor [window.]eval()
, let's resolve this first.
from trusted-types.
https://mikesamuel.github.io/proposal-hostensurecancompilestrings-passthru/ aims to address the lack of context in the host.
from trusted-types.
@koto, +1
from trusted-types.
Related Issues (20)
- Adopt Infra syntax throughout
- Event handler enforcement section wrong HOT 1
- [Meta] Upstream changes HOT 2
- HTML timers as specced won't work HOT 2
- Callback IDL types HOT 1
- New `script text` associated data and associated mechanisms need adding to SVGScriptElement
- "Validate the string in context" takes any value and calls "Get Trusted Type compliant string" which requires a TrustedType or a string HOT 12
- CSP sample for eval and Function HOT 4
- Get trusted type compliant attribute value sink HOT 1
- Improve test coverage of sink values HOT 1
- Check variable naming inside of getAttributeType and getPropertyType methods
- `execCommand` spec won't work HOT 7
- `createPolicy`'s permitted policy names are inconsistent with CSP's permitted policy names HOT 5
- faq.md outdated HOT 1
- Script element protection model HOT 2
- WPT for CSP header `trusted-types 'none' 'none'` missing HOT 7
- "Should Trusted Type policy creation be blocked by Content Security Policy?" passes "directive" instead of directive's name to "Create a violation object for global, policy, and directive"
- Spec / implementation mismatch with document.write/writeln HOT 8
- "Create a Trusted Type Policy" should specify the TypeError messages HOT 3
- Should SVGScriptElement have an IDL way to set a trusted script value? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from trusted-types.