Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upstream Trusted Types enforcement in EnsureCSPDoesNotBlockStringCompilation #659

Merged
merged 4 commits into from
Sep 9, 2024
Merged

Upstream Trusted Types enforcement in EnsureCSPDoesNotBlockStringCompilation #659

Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
3a96550
Upstream Trusted Types enforcement in EnsureCSPDoesNotBlockStringComp…
lukewarlow Mar 14, 2024
fb96e71
Change syntax for enums and add comments
lukewarlow Jun 13, 2024
9ea6c59
Address comments
lukewarlow Sep 9, 2024
3fd634f
Address comments
lukewarlow Sep 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 46 additions & 7 deletions index.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -751,8 +751,8 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/

Each <a>violation</a> has a
<dfn for="violation" id="violation-resource" export>resource</dfn>, which is
either null, "`inline`", "`eval`", "`wasm-eval`", or a {{URL}}. It represents the resource
which violated the policy.
either null, "`inline`", "`eval`", "`wasm-eval`", "`trusted-types-policy`", "`trusted-types-sink`" or a {{URL}}.
It represents the resource which violated the policy.

Note: The value null for a <a>violation</a>'s <a
for="violation">resource</a> is only allowed while the <a>violation</a> is
Expand Down Expand Up @@ -1452,6 +1452,47 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
returns normally if string compilation is allowed, and throws an "`EvalError`"
if not:

1. If |compilationType| is timer, then:
lukewarlow marked this conversation as resolved.
Show resolved Hide resolved
<!-- timer is an enum value. -->

1. Let |sourceString| be |codeString|.

1. Else:

1. Let |compilationSink| be `"Function"` if |compilationType| is function, otherwise `"Eval"`.
lukewarlow marked this conversation as resolved.
Show resolved Hide resolved
<!-- function is an enum value. -->

1. Let |isTrusted| be `true`.

1. If |bodyArg| is not a {{TrustedScript}} object, set |isTrusted| to `false`.
lukewarlow marked this conversation as resolved.
Show resolved Hide resolved

1. If |isTrusted| is `true` then:

1. If |bodyString| is not equal to |bodyArg|'s [=TrustedScript/data=], set |isTrusted| to `false`.

1. If |isTrusted| is `true`, then:

1. For each |arg| in |parameterArgs|:

1. Let |index| be the index of |arg| in |parameterArgs|.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd suggest writing this loop differently, as I don't think Infra provides a way to get the index of a given element in a list. Something like the following:

1.  Assert: |parameterArgs|' [list/length=] is equal to [parameterStrings]' [=list/length=].
1.  [=list/iterate|For each=] |index| of [=the range=] 0 to |parameterArgs|' [=list/length=]:
    1.  Let |arg| be |parameterArgs|[|index|].

Alternatively, we could add something to Infra to either create a For each variant that provides both an item and its index, or some mechanism to get the index of a given item? @annevk might have thoughts about which path might be preferable.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've gone with what you suggested for now.


1. If |arg| is not a {{TrustedScript}} object, set |isTrusted| to `false`.

1. If |isTrusted| is `true`, then:

1. if |parameterStrings|[|index|] is not equal to |arg|'s [=TrustedScript/data=], set |isTrusted| to `false`.

1. If |isTrusted| is `true`, let |sourceToValidate| be a new instance of
the {{TrustedScript}} interface, with its [=TrustedScript/data=]
set to |codeString|. Otherwise, let |sourceToValidate| be |codeString|.
lukewarlow marked this conversation as resolved.
Show resolved Hide resolved

1. Let |sourceString| be the result of executing the [$Get Trusted Type compliant string$] algorithm, with
{{TrustedScript}}, |realm|, |sourceToValidate|, |compilationSink|, and `'script'`.

1. If the algorithm throws an error, throw an {{EvalError}}.

1. If |sourceString| is not equal to |codeString|, throw an {{EvalError}}.

1. Let |result| be "`Allowed`".

2. Let |global| be |realm|'s [=realm/global object=].
Expand All @@ -1477,7 +1518,7 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/

3. If |source-list| [=list/contains=] the expression
"<a grammar>`'report-sample'`</a>", then set |violation|'s [=violation/sample=] to
the substring of |codeString| containing its first 40 characters.
the substring of |sourceString| containing its first 40 characters.

4. Execute [[#report-violation]] on |violation|.

Expand All @@ -1486,8 +1527,6 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/

4. If |result| is "`Blocked`", throw an `EvalError` exception.

Note: |parameterStrings|, |bodyString|, |compilationType|, |parameterArgs|, and |bodyArg| are currently unused. They are included for future use.

<h3 id="wasm-integration">Integration with WebAssembly</h3>

WebAssembly defines the {{HostEnsureCanCompileWasmBytes()}} abstract operation
Expand Down Expand Up @@ -3693,10 +3732,10 @@ this algorithm returns normally if compilation is allowed, and throws a

3. If |directive|'s <a for="directive">value</a> contains
"<a grammar>`'strict-dynamic'`</a>":

1. If |request|'s <a for="request">parser metadata</a> is not
<a>"parser-inserted"</a>, return "`Allowed`".

Otherwise, return "`Blocked`".

4. If the result of executing [[#match-response-to-source-list]] on
Expand Down
Loading