Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HostEnsureCanCompileStrings definition mismatch #10202

Closed
lukewarlow opened this issue Mar 14, 2024 · 5 comments
Closed

HostEnsureCanCompileStrings definition mismatch #10202

lukewarlow opened this issue Mar 14, 2024 · 5 comments

Comments

@lukewarlow
Copy link
Member

What is the issue with the HTML Standard?

The HTML definition of HostEnsureCanCompileString doesn't match the ECMAScript definition.

The call to EnsureCSPDoesNotBlockStringCompilation also doesn't match the CSP definition
@lukewarlow
Copy link
Member Author

The CSP spec includes a link to tc39/ecma262#938 which explains the missing source in the hook. However, the current state only includes the parameter strings as a list with the body string, rather than the compiled source string which CSP currently requires.

However, if tc39/ecma262#3294 is accepted then the ECMA definition will change again and pass through the compiled string (along with certain other parameters that will be needed).

@annevk
Copy link
Member

annevk commented Mar 14, 2024

Duplicate of #4501 (see also #271)?

@lukewarlow
Copy link
Member Author

lukewarlow commented Mar 14, 2024
edited
Loading

Not quite a duplicate that issue is linked to a change to ecmascript that never happened. (I would personally close that other one out as it's going to be outdated compared to the latest state of TT)

@lukewarlow
Copy link
Member Author

#271 while relevant doesn't include the EnsureCSPDoesNotBlockStringCompilation changes specifically (unless I'm mistaken)

@nicolo-ribaudo
Copy link
Contributor

I was planning on updating the HTML spec after my changes that got merged in ecma262, but I ended up waiting given that that host hook's signature might change soon again.

@lukewarlow lukewarlow mentioned this issue Mar 14, 2024
Merged
@annevk annevk mentioned this issue Mar 14, 2024
Closed
@lukewarlow lukewarlow mentioned this issue Mar 14, 2024
Merged
annevk pushed a commit that referenced this issue Jun 13, 2024
@lukewarlow
Update HostEnsureCanCompileStrings definition
a195042 
Update the HostEnsureCanCompileStrings definition to match dynamic code brand checks stage 3 proposal.

Also update the call to EnsureCSPDoesNotBlockStringCompilation to pass these new arguments through.

Also update the timer initialization steps to call EnsureCSPDoesNotBlockStringCompilation directly, and include the new parameters.

Also define HostGetCodeForEval implementation.

See w3c/webappsec-csp#650 for corresponding CSP PR.

Also see #10202 for context.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@annevk @nicolo-ribaudo @lukewarlow