Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add trusted-types-eval source expression for script-src #665

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

lukewarlow
Copy link
Member

@lukewarlow lukewarlow commented May 28, 2024

This new keyword allows enabling eval only when trusted types are enforced. Such that in browsers that don't support trusted types no eval is allowed, unlike with unsafe-eval. This concept was brought up at previous WebAppSec WG meetings.

Implementor Interest:


Preview | Diff

@lukewarlow
Copy link
Member Author

cc @otherdaniel @koto to gather Google feedback.

Mozilla Position Request: mozilla/standards-positions#1032

WebKit Position Request: WebKit/standards-positions#355

index.bs Outdated Show resolved Hide resolved
@lukewarlow lukewarlow changed the title Add trusted-eval source expression for script-src Add trusted-types-eval source expression for script-src Jun 18, 2024
This new keyword allows enabling eval only when trusted types are enforced. Such that in browsers that don't support trusted types no eval is allowed.
@lukewarlow lukewarlow marked this pull request as ready for review September 9, 2024 15:20
@lukewarlow
Copy link
Member Author

@mikewest if you've got time it'd be brilliant to get an editorial review of this too. Still waiting on some browser positions so won't merge yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants