Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move CSP monkey patches into HTML. #271

Open
mikewest opened this issue Oct 21, 2015 · 7 comments
Open

Move CSP monkey patches into HTML. #271

mikewest opened this issue Oct 21, 2015 · 7 comments
Assignees
@mikewest
Labels
integration Better coordination across standards needed security/privacy There are security or privacy implications

Comments

@mikewest
Copy link
Member

https://w3c.github.io/webappsec-csp/#html-integration lists a number of patches that need to be made to HTML in order to support CSP. I'll wrap those up here.
@mikewest mikewest mentioned this issue Oct 21, 2015
Merged
@domenic
Copy link
Member

domenic commented Feb 19, 2016

@mikewest anything left to do here?

@Ms2ger
Copy link
Member

Ms2ger commented Mar 3, 2016

Seems like there's patches to setTimeout/setInterval that haven't made their way into the spec, at least.

@domenic
Copy link
Member

domenic commented Mar 3, 2016

Here's how I'd ideally like that to shake out:

@mikewest how does that plan sound?

@domenic domenic self-assigned this Mar 3, 2016
@domenic
Copy link
Member

domenic commented Mar 17, 2016

tc39/ecma262#451 was merged so if @mikewest wants to proceed by defining HostEnsureCanCompileStrings in CSP3, that'd be swell. If you'd rather I do it with a PR, let me know and I can get around to it.

@annevk annevk assigned mikewest and unassigned domenic Mar 18, 2016
@mikewest
Copy link
Member Author

mikewest commented Apr 6, 2016

Just saw this, sorry about the delayed response. I'll add that definition to CSP3 shortly.

This was referenced Apr 6, 2016
Merged
Closed
@domenic domenic closed this as completed in 374b54d Apr 8, 2016
@domenic
Copy link
Member

domenic commented Apr 8, 2016

I realize that this probably isn't entirely fixed by 374b54d as the link in the OP lists a few items without red "this is fixed in WHATWG HTML" boxes. So I'll reopen until @mikewest proclaims mission accomplished.

@domenic domenic reopened this Apr 8, 2016
jungkees pushed a commit to jungkees/html that referenced this issue Apr 8, 2016
@mikewest @jungkees
Wire up HostEnsureCanCompileStrings to CSP
6d31270 
CSP defines an algorithm we can use to define
HostEnsureCanCompileStrings, which throws an EvalError if string
compilation is disallowed.

We define HostEnsureCanCompileStrings here, delegating to CSP's
EnsureCSPDoesNotBlockStringCompilation, because in the future other
specs might also want to limit eval and setTimeout. It also centralizes
all the HostWhatever abstract operations in one place, which is nice.

Fixes whatwg#271.
@annevk
Copy link
Member

annevk commented Mar 31, 2017

Seems like the only thing left here is #968?

@annevk annevk added security/privacy There are security or privacy implications integration Better coordination across standards needed and removed security/privacy There are security or privacy implications labels Jan 22, 2018
@annevk annevk mentioned this issue Apr 23, 2019
Open
@annevk annevk mentioned this issue Feb 18, 2022
Closed
@annevk annevk mentioned this issue Mar 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mikewest mikewest

Labels
integration Better coordination across standards needed security/privacy There are security or privacy implications
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mikewest @Ms2ger @domenic @annevk