New trusted-types-eval keyword for CSP script-src

[lukewarlow]

Request for Mozilla Position on an Emerging Web Specification

• Specification title: Content Security Policy (and Trusted Types)
• Specification or proposal URL (if available): w3c/webappsec-csp@8444566
• Explainer URL (if available):
• Proposal author(s) (@-mention GitHub accounts): @lukewarlow
• Caniuse.com URL (optional):
• Bugzilla URL (optional):
• Mozillians who can provide input (optional): @mozfreddyb @dveditz
• WebKit standards-position: New trusted-types-eval keyword for CSP script-src WebKit/standards-positions#355

Other information

This proposes a new trusted-types-eval keyword for the CSP script-src directive. The main use case for this new keyword is to allow enabling eval only in browsers that support and have Trusted Types enforced. Currently trusted types is used alongside unsafe-eval (if you need eval), which means that in browsers with no trusted types support eval is still allowed (completely unmitigated by the protections TT offer). This new keyword would prevent that situation.

[lukewarlow]

See #20 for the original position on Trusted Types as a whole which is Positive from mozilla.

[mozfreddyb]

While having to use eval is a generally unfortunate thing, we acknowledge that some websites have painted themselves into a corner such that it's better to use eval only on trusted things rather than all kinds of eval.

There was a slight concern that "trusted..." sounds like a safe thing to do, when it is in fact only a pointer that the check should have been applied elsewhere. But that's pretty much aligned with the general understanding of trust in computer security, so we're OK. Generally, we're happy that this requires a trusted-types directive to be in effect to do anything and has sane back-compat story.

My apologies for not circling back earlier here. After a discussion with our CSP folks internally, I suggest we mark this positive (but without an individual entry in our dashboard, because the change is a bit minor).