Add trusted-types-eval source expression for script-src

This new keyword allows enabling eval only when trusted types are enforced. Such that in browsers that don't support trusted types no eval is allowed.
w3c · Jun 18, 2024 · 824fce9 · 824fce9
1 parent 2661aa2
commit 824fce9
Showing 1 changed file with 16 additions and 6 deletions.
diff --git a/index.bs b/index.bs
@@ -699,7 +699,7 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
     <dfn>keyword-source</dfn> = "<dfn>'self'</dfn>" / "<dfn>'unsafe-inline'</dfn>" / "<dfn>'unsafe-eval'</dfn>"
                      / "<dfn>'strict-dynamic'</dfn>" / "<dfn>'unsafe-hashes'</dfn>" /
                      / "<dfn>'report-sample'</dfn>" / "<dfn>'unsafe-allow-redirects'</dfn>"
-                     / "<dfn>'wasm-unsafe-eval'</dfn>"
+                     / "<dfn>'wasm-unsafe-eval'</dfn>" / "<dfn>'trusted-types-eval'</dfn>"
 
     ISSUE: Bikeshed `unsafe-allow-redirects`.
 
@@ -1457,6 +1457,8 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
 
       1.  Let |sourceString| be |codeString|.
 
+      1.  Let |requireTrustedTypes| be `false`.
+
   1.  Else:
 
       1.  Let |compilationSink| be `"Function"` if |compilationType| is function, otherwise `"Eval"`.
@@ -1507,9 +1509,17 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
           Otherwise if |policy| contains a [=directive=] whose [=directive/name=] is
           "`default-src`", then set |source-list| to that directive's [=directive/value=].
 
-      3.  If |source-list| is not null, and does not contain a [=source expression=] which is
-          an [=ASCII case-insensitive=] match for the string "<a grammar>`'unsafe-eval'`</a>",
-          then:
+      1.  If |source-list| is not null:
+
+          1.  Let |trustedTypesRequired| be the result of executing [$Does sink type require trusted types?$], with
+              |realm|, `'script'`, and false.
+
+          1.  If |trustedTypesRequired| is true and |source-list| contains a [=source expression=] which is an
+              [=ASCII case-insensitive=] match for the string "<a grammar>`'trusted-types-eval'`</a>", then skip the
+              following steps.
+
+          1.  If |source-list| contains a [=source expression=] which is an [=ASCII case-insensitive=] match for the
+              string "<a grammar>`'unsafe-eval'`</a>", then skip the following steps.
 
           1.  Let |violation| be the result of executing [[#create-violation-for-global]] on
               |global|, |policy|, and "`script-src`".
@@ -2785,8 +2795,8 @@ this algorithm returns normally if compilation is allowed, and throws a
       <a grammar>nonce-source</a> or a <a grammar>hash-source</a> that matches
       the inline block.
 
-  4.  The following JavaScript execution sinks are gated on the "`unsafe-eval`"
-      source expression:
+  4.  The following JavaScript execution sinks are gated on the "`unsafe-eval`" and "`trusted-types-eval`"
+      source expressions:
 
       *   {{eval()}}
       *   {{Function()}}