Skip to content

Add trusted-types-eval source expression for script-src #665

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 15, 2025
Merged

Add trusted-types-eval source expression for script-src #665

merged 1 commit into from
Jan 15, 2025

Conversation

lukewarlow
Copy link
Member

@lukewarlow lukewarlow commented May 28, 2024
edited by pr-preview bot
Loading

This new keyword allows enabling eval only when trusted types are enforced. Such that in browsers that don't support trusted types no eval is allowed, unlike with unsafe-eval. This concept was brought up at previous WebAppSec WG meetings.

Implementor Interest:

Implementation Bugs:

Preview | Diff

@lukewarlow lukewarlow force-pushed the script-src-trusted-eval branch from 3a0f58d to 8444566 Compare May 28, 2024 13:56
This was referenced May 28, 2024
Closed
Merged
@lukewarlow
Copy link
Member Author

cc @otherdaniel @koto to gather Google feedback.

Mozilla Position Request: mozilla/standards-positions#1032

WebKit Position Request: WebKit/standards-positions#355

annevk
annevk reviewed May 31, 2024
View reviewed changes
@lukewarlow lukewarlow force-pushed the script-src-trusted-eval branch from 8444566 to 824fce9 Compare June 18, 2024 12:40
@lukewarlow lukewarlow changed the title Add trusted-eval source expression for script-src Add trusted-types-eval source expression for script-src Jun 18, 2024
@lukewarlow lukewarlow force-pushed the script-src-trusted-eval branch from 824fce9 to 1ed7bc6 Compare June 18, 2024 16:07
@lukewarlow lukewarlow mentioned this pull request Jul 17, 2024
Closed
@lukewarlow lukewarlow force-pushed the script-src-trusted-eval branch 2 times, most recently from ad31238 to 5b4509b Compare September 9, 2024 15:20
@lukewarlow lukewarlow marked this pull request as ready for review September 9, 2024 15:20
@lukewarlow
Copy link
Member Author

@mikewest if you've got time it'd be brilliant to get an editorial review of this too. Still waiting on some browser positions so won't merge yet.

@mikewest mikewest mentioned this pull request Oct 8, 2024
Open
@AlexErrant AlexErrant mentioned this pull request Nov 1, 2024
Closed
@ciaramcmullin ciaramcmullin added the addition/proposal New features or enhancements label Dec 4, 2024
@ciaramcmullin ciaramcmullin added this to the Future milestone Dec 4, 2024
@lukewarlow lukewarlow force-pushed the script-src-trusted-eval branch from 5b4509b to b6e3a19 Compare January 8, 2025 15:48
@lukewarlow
Add trusted-types-eval source expression for script-src
29f6b70 
This new keyword allows enabling eval only when trusted types are enforced. Such that in browsers that don't support trusted types no eval is allowed.
@lukewarlow lukewarlow force-pushed the script-src-trusted-eval branch from b6e3a19 to 29f6b70 Compare January 8, 2025 16:00
@lukewarlow lukewarlow mentioned this pull request Jan 8, 2025
Merged
@lukewarlow
Copy link
Member Author

Failing pipeline here seems to be related to a change already merged, rather than this PR. For now I'll leave it "broken" but happy to address if that's desired.

Made a WebKit PR at WebKit/WebKit#38741 so would be good to get this PR merged. Given the above standards positions is there a process for requesting review and approval like whatwg has?

mikewest
mikewest approved these changes Jan 9, 2025
View reviewed changes
Copy link
Member

@mikewest mikewest left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're working on defining the process for updating this spec, and I do hope we'll land on something similar to WHATWG's.

That said, we discussed this specific item at TPAC (https://github.com/w3c/webappsec/blob/main/meetings/2024/2024-09-26-TPAC-minutes.md#trusted-types-eval), there are positive signals from WebKit (WebKit/standards-positions#355), and Mozilla (mozilla/standards-positions#1032). I think whatever process we end up with would accept that as Good Enough™.

With that in mind, I'm comfortable landing this prior to solidifying a new process. @dveditz, WDYT?

@lukewarlow lukewarlow mentioned this pull request Jan 14, 2025
Merged
@fred-wang fred-wang mentioned this pull request Jan 15, 2025
Closed
@lukewarlow
Copy link
Member Author

Based on todays meeting I'm going to go ahead and merge this. Thanks for the reviews.

@lukewarlow lukewarlow merged commit affe7a7 into w3c:main Jan 15, 2025
1 of 2 checks passed
lando-prod-mozilla bot pushed a commit to mozilla-firefox/firefox that referenced this pull request Sep 3, 2025
@fred-wang
Bug 1940493 - Implement trusted-types-eval CSP script-src keyword. r=…
c2bd2d0 
…smaug

See w3c/webappsec-csp#665

Differential Revision: https://phabricator.services.mozilla.com/D263352
moz-wptsync-bot pushed a commit to web-platform-tests/wpt that referenced this pull request Sep 3, 2025
@fred-wang @moz-wptsync-bot
Implement trusted-types-eval CSP script-src keyword.
a5d3490 
See w3c/webappsec-csp#665

Differential Revision: https://phabricator.services.mozilla.com/D263352

bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1940493
gecko-commit: 95bc6cee58f879df3c2dfb431be9dc6dd5735cd9
gecko-reviewers: smaug
@moz-wptsync-bot moz-wptsync-bot mentioned this pull request Sep 3, 2025
Merged
moz-wptsync-bot pushed a commit to web-platform-tests/wpt that referenced this pull request Sep 3, 2025
@fred-wang @moz-wptsync-bot
Implement trusted-types-eval CSP script-src keyword.
c9b9512 
See w3c/webappsec-csp#665

Differential Revision: https://phabricator.services.mozilla.com/D263352

bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1940493
gecko-commit: 95bc6cee58f879df3c2dfb431be9dc6dd5735cd9
gecko-reviewers: smaug
i3roly pushed a commit to i3roly/firefox-dynasty that referenced this pull request Sep 8, 2025
@fred-wang
Bug 1940493 - Implement trusted-types-eval CSP script-src keyword. r=…
6618445 
…smaug

See w3c/webappsec-csp#665

Differential Revision: https://phabricator.services.mozilla.com/D263352
gecko-dev-updater pushed a commit to marco-c/gecko-dev-wordified-and-comments-removed that referenced this pull request Sep 8, 2025
@marco-c
Bug 1940493 - Implement trusted-types-eval CSP script-src keyword. r=…
2a5dd19 
…smaug

See w3c/webappsec-csp#665

Differential Revision: https://phabricator.services.mozilla.com/D263352

UltraBlame original commit: 95bc6cee58f879df3c2dfb431be9dc6dd5735cd9
gecko-dev-updater pushed a commit to marco-c/gecko-dev-comments-removed that referenced this pull request Sep 8, 2025
@marco-c
Bug 1940493 - Implement trusted-types-eval CSP script-src keyword. r=…
4c65a13 
…smaug

See w3c/webappsec-csp#665

Differential Revision: https://phabricator.services.mozilla.com/D263352

UltraBlame original commit: 95bc6cee58f879df3c2dfb431be9dc6dd5735cd9
gecko-dev-updater pushed a commit to marco-c/gecko-dev-wordified that referenced this pull request Sep 8, 2025
@marco-c
Bug 1940493 - Implement trusted-types-eval CSP script-src keyword. r=…
8c38361 
…smaug

See w3c/webappsec-csp#665

Differential Revision: https://phabricator.services.mozilla.com/D263352

UltraBlame original commit: 95bc6cee58f879df3c2dfb431be9dc6dd5735cd9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@annevk annevk annevk left review comments

@mikewest mikewest mikewest approved these changes

Assignees

No one assigned

Labels

addition/proposal New features or enhancements

Projects

None yet

Milestone

Future

Development

Successfully merging this pull request may close these issues.

4 participants

@lukewarlow @mikewest @annevk @ciaramcmullin