From 3538217a4e07a4dbcfd63ca579e9b161697305a1 Mon Sep 17 00:00:00 2001 From: Luke Warlow Date: Tue, 12 Mar 2024 17:56:46 +0000 Subject: [PATCH] Add new `trusted-eval` source expression to 'script-src' directive. This allows removal of 'unsafe-eval' keyword provided you enforce trusted types and replace it with 'trusted-eval'. --- spec/index.bs | 44 +++++++++++++++++++++++++++++++++++++------- 1 file changed, 37 insertions(+), 7 deletions(-) diff --git a/spec/index.bs b/spec/index.bs index 9ac3be3..c6f2f01 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -1639,6 +1639,29 @@ Content-Security-Policy: trusted-types one two default +### trusted-eval source ### {#trusted-eval-csp-source} + +This document defines *trusted-eval* - a new [=source expression=]. The [=trusted-eval-source|trusted-eval=] source can be used to allow evaluation of trusted code. Without +the use of "`'unsafe-eval'`". + +Note: This source expression is used to allow usage of eval in environments protected by trusted types, without allowing the uncontrolled use of eval +in environments that don't have trusted types supported and enabled. + +
+keyword-source = "'self'" / "'unsafe-inline'" / "'unsafe-eval'"
+                 / "'strict-dynamic'" / "'unsafe-hashes'" /
+                 / "'report-sample'" / "'unsafe-allow-redirects'"
+                 / "'wasm-unsafe-eval'" / "'trusted-eval'"
+
+ +
+To use trusted-eval, the following header is required: + +
+Content-Security-Policy: require-trusted-types-for 'script'; script-src 'trusted-eval'
+
+
+ ### Does sink type require trusted types? ### {#does-sink-require-trusted-types} Given a [=realm/global object=] (|global|), a string (|sinkGroup|) this algorithm @@ -1779,6 +1802,9 @@ throws an "`EvalError`" if not: 1. If |sourceString| is not equal to |source|, throw an {{EvalError}}. +1. Let |requireTrustedTypes| be the result of executing [$Does sink type require trusted types?$] algorithm, + passing |calleeRealm|, and `'script'`. + 1. Let |global| be a |calleeRealm|'s [=realm/global object=]. 1. Let |result| be "`Allowed`". @@ -1787,28 +1813,32 @@ throws an "`EvalError`" if not: 1. Let |source-list| be `null`. - 2. If |policy| contains a [=directive=] whose [=directive/name=] is "`script-src`", then + 1. If |policy| contains a [=directive=] whose [=directive/name=] is "`script-src`", then set |source-list| to that [=directive=]'s [=directive/value=]. Otherwise if |policy| contains a [=directive=] whose [=directive/name=] is "`default-src`", then set |source-list| to that directive's [=directive/value=]. - 3. If |source-list| is not `null`, and does not contain a [=source expression=] which is - an [=ASCII case-insensitive=] match for the string "`'unsafe-eval'`" then: + 1. If |source-list| is not `null`, then: + 1. If |requireTrustedTypes| and |source-list| contains a [=source expression=] which is + an [=ASCII case-insensitive=] match for the string "`'trusted-eval'`", then skip the following steps. + + 1. If |source-list| contains a [=source expression=] which is + an [=ASCII case-insensitive=] match for the string "`'unsafe-eval'`", then skip the following steps. 1. Let |violation| be the result of executing [[CSP3#create-violation-for-global]] on |global|, |policy|, and "`script-src`". - 2. Set |violation|'s [=violation/resource=] to "`inline`". + 1. Set |violation|'s [=violation/resource=] to "`inline`". - 3. If |source-list| [=list/contains=] the expression + 1. If |source-list| [=list/contains=] the expression "`'report-sample'`", then set |violation|'s [=violation/sample=] to the substring of |source| |sourceString| containing its first 40 characters. - 4. Execute [[CSP3#report-violation]] on |violation|. + 1. Execute [[CSP3#report-violation]] on |violation|. - 5. If |policy|'s [=policy/disposition=] is "`enforce`", then set |result| to + 1. If |policy|'s [=policy/disposition=] is "`enforce`", then set |result| to "`Blocked`". 1. If |result| is "`Blocked`", throw an `EvalError` exception.