-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move CSP monkey patches into HTML. #271
Comments
@mikewest anything left to do here? |
Seems like there's patches to |
Here's how I'd ideally like that to shake out:
@mikewest how does that plan sound? |
tc39/ecma262#451 was merged so if @mikewest wants to proceed by defining HostEnsureCanCompileStrings in CSP3, that'd be swell. If you'd rather I do it with a PR, let me know and I can get around to it. |
Just saw this, sorry about the delayed response. I'll add that definition to CSP3 shortly. |
CSP defines an algorithm we can use to define HostEnsureCanCompileStrings, which throws an EvalError if string compilation is disallowed. We define HostEnsureCanCompileStrings here, delegating to CSP's EnsureCSPDoesNotBlockStringCompilation, because in the future other specs might also want to limit eval and setTimeout. It also centralizes all the HostWhatever abstract operations in one place, which is nice. Fixes whatwg#271.
Seems like the only thing left here is #968? |
https://w3c.github.io/webappsec-csp/#html-integration lists a number of patches that need to be made to HTML in order to support CSP. I'll wrap those up here.
The text was updated successfully, but these errors were encountered: