Skip to content

Commit

Permalink
Remove CSP dynamic code compilation block (w3c#544)
Browse files Browse the repository at this point in the history 
SHA: 1c98273
Reason: push, by lukewarlow

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
  • Loading branch information
@lukewarlow @github-actions
lukewarlow and github-actions[bot] committed Sep 9, 2024
1 parent 7f6cd96 commit 24bd116
Showing 1 changed file with 15 additions and 23 deletions.
38 changes: 15 additions & 23 deletions dist/spec/index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
<link href="https://www.w3.org/StyleSheets/TR/2021/W3C-ED" rel="stylesheet">
<meta content="Bikeshed version 82ce88815, updated Thu Sep 7 16:33:55 2023 -0700" name="generator">
<link href="https://www.w3.org/TR/trusted-types/" rel="canonical">
<meta content="cf78f7e969f80f66507baa4d70834ebc15fce6c7" name="document-revision">
<meta content="1c98273966a4834cee4cdf5a3ccdb2d0b9d2046d" name="document-revision">
<style>/* Boilerplate: style-autolinks */
.css.css, .property.property, .descriptor.descriptor {
color: var(--a-normal-text);
Expand Down Expand Up @@ -1005,7 +1005,7 @@
<div class="head">
<p data-fill-with="logo"><a class="logo" href="https://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2021/logos/W3C" width="72"> </a> </p>
<h1 class="p-name no-ref" id="title">Trusted Types</h1>
<p id="w3c-state"><a href="https://www.w3.org/standards/types#ED">Editor’s Draft</a>, <time class="dt-updated" datetime="2024-07-04">4 July 2024</time></p>
<p id="w3c-state"><a href="https://www.w3.org/standards/types#ED">Editor’s Draft</a>, <time class="dt-updated" datetime="2024-09-09">9 September 2024</time></p>
<details open>
<summary>More details about this document</summary>
<div data-fill-with="spec-metadata">
Expand Down Expand Up @@ -1141,7 +1141,6 @@ <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
<li><a href="#does-sink-require-trusted-types"><span class="secno">4.3.3</span> <span class="content"><span>Does sink type require trusted types?</span></span></a>
<li><a href="#should-block-sink-type-mismatch"><span class="secno">4.3.4</span> <span class="content"><span>Should sink type mismatch violation be blocked by Content Security Policy?</span></span></a>
<li><a href="#should-block-create-policy"><span class="secno">4.3.5</span> <span class="content"><span>Should Trusted Type policy creation be blocked by Content Security Policy?</span></span></a>
<li><a href="#csp-eval"><span class="secno">4.3.6</span> <span class="content">Support for dynamic code compilation</span></a>
</ol>
</ol>
<li>
Expand Down Expand Up @@ -1184,7 +1183,6 @@ <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
<summary>Tests</summary>
<ul class="wpt-tests-list">
<li class="wpt-test"><a class="wpt-name" href="https://wpt.fyi/results/trusted-types/block-Document-execCommand.html" title="trusted-types/block-Document-execCommand.html">block-Document-execCommand.html</a> <a class="wpt-live" href="http://wpt.live/trusted-types/block-Document-execCommand.html"><small>(live test)</small></a> <a class="wpt-source" href="https://github.com/web-platform-tests/wpt/blob/master/trusted-types/block-Document-execCommand.html"><small>(source)</small></a>
<li class="wpt-test"><a class="wpt-name" href="https://wpt.fyi/results/trusted-types/block-Node-multiple-arguments.html" title="trusted-types/block-Node-multiple-arguments.html">block-Node-multiple-arguments.html</a> <a class="wpt-live" href="http://wpt.live/trusted-types/block-Node-multiple-arguments.html"><small>(live test)</small></a> <a class="wpt-source" href="https://github.com/web-platform-tests/wpt/blob/master/trusted-types/block-Node-multiple-arguments.html"><small>(source)</small></a>
<li class="wpt-test"><a class="wpt-name" href="https://wpt.fyi/results/trusted-types/block-string-assignment-to-attribute-via-attribute-node.html" title="trusted-types/block-string-assignment-to-attribute-via-attribute-node.html">block-string-assignment-to-attribute-via-attribute-node.html</a> <a class="wpt-live" href="http://wpt.live/trusted-types/block-string-assignment-to-attribute-via-attribute-node.html"><small>(live test)</small></a> <a class="wpt-source" href="https://github.com/web-platform-tests/wpt/blob/master/trusted-types/block-string-assignment-to-attribute-via-attribute-node.html"><small>(source)</small></a>
<li class="wpt-test"><a class="wpt-name" href="https://wpt.fyi/results/trusted-types/block-string-assignment-to-Document-parseHTMLUnsafe.html" title="trusted-types/block-string-assignment-to-Document-parseHTMLUnsafe.html">block-string-assignment-to-Document-parseHTMLUnsafe.html</a> <a class="wpt-live" href="http://wpt.live/trusted-types/block-string-assignment-to-Document-parseHTMLUnsafe.html"><small>(live test)</small></a> <a class="wpt-source" href="https://github.com/web-platform-tests/wpt/blob/master/trusted-types/block-string-assignment-to-Document-parseHTMLUnsafe.html"><small>(source)</small></a>
<li class="wpt-test"><a class="wpt-name" href="https://wpt.fyi/results/trusted-types/block-string-assignment-to-Document-write.html" title="trusted-types/block-string-assignment-to-Document-write.html">block-string-assignment-to-Document-write.html</a> <a class="wpt-live" href="http://wpt.live/trusted-types/block-string-assignment-to-Document-write.html"><small>(live test)</small></a> <a class="wpt-source" href="https://github.com/web-platform-tests/wpt/blob/master/trusted-types/block-string-assignment-to-Document-write.html"><small>(source)</small></a>
Expand Down Expand Up @@ -1828,9 +1826,9 @@ <h4 class="heading settled" data-level="2.3.1" id="trusted-type-policy-factory">
<dd data-md>
<p>is a <code class="idl"><a data-link-type="idl" href="#trustedscript" id="ref-for-trustedscript⑦">TrustedScript</a></code> object with its <a data-link-type="dfn" href="#trustedscript-data" id="ref-for-trustedscript-data②">data</a> value set to an empty string.</p>
</dl>
<p class="note" role="note"><span class="marker">Note:</span> This object can be used to detect if the runtime environment has <a href="#csp-eval">§ 4.3.6 Support for dynamic code compilation</a>. While native Trusted Types implementation can
support <code>eval(TrustedScript)</code>, it is impossible for a polyfill to emulate that, as
eval(TrustedScript) will return its input without unwrapping and evaluating the code.</p>
<p class="note" role="note"><span class="marker">Note:</span> This object can be used to detect if the runtime environment has support for dynamic code compilation.
While native Trusted Types implementation can support <code>eval(TrustedScript)</code>, it is impossible for a polyfill to
emulate that, as eval(TrustedScript) will return its input without unwrapping and evaluating the code.</p>
<div class="example" id="empty-script-example">
<a class="self-link" href="#empty-script-example"></a>
<pre class="highlight"><c- c1>// With native Trusted Types support eval(trustedTypes.emptyScript) will execute and return falsy undefined.</c->
Expand Down Expand Up @@ -2010,15 +2008,11 @@ <h3 class="heading settled" data-level="3.1" id="create-trusted-type-policy-algo
<li data-md>
<p>Set <var>policy</var>’s <code>name</code> property value to <var>policyName</var>.</p>
<li data-md>
<p>Let <var>policyOptions</var> be a new <code class="idl"><a data-link-type="idl" href="#dictdef-trustedtypepolicyoptions" id="ref-for-dictdef-trustedtypepolicyoptions⑤">TrustedTypePolicyOptions</a></code> object.</p>
<li data-md>
<p>Set <var>policyOptions</var> <code class="idl"><a data-link-type="idl" href="#dom-trustedtypepolicy-createhtml" id="ref-for-dom-trustedtypepolicy-createhtml②">createHTML</a></code> property to <var>options</var><code class="idl"><a data-link-type="idl" href="#dom-trustedtypepolicyoptions-createhtml" id="ref-for-dom-trustedtypepolicyoptions-createhtml">createHTML</a></code> property value.</p>
<li data-md>
<p>Set <var>policyOptions</var> <code class="idl"><a data-link-type="idl" href="#dom-trustedtypepolicy-createscript" id="ref-for-dom-trustedtypepolicy-createscript②">createScript</a></code> property to <var>options</var><code class="idl"><a data-link-type="idl" href="#dom-trustedtypepolicyoptions-createscript" id="ref-for-dom-trustedtypepolicyoptions-createscript">createScript</a></code> property value.</p>
<li data-md>
<p>Set <var>policyOptions</var> <code class="idl"><a data-link-type="idl" href="#dom-trustedtypepolicy-createscripturl" id="ref-for-dom-trustedtypepolicy-createscripturl②">createScriptURL</a></code> property to <var>options</var><code class="idl"><a data-link-type="idl" href="#dom-trustedtypepolicyoptions-createscripturl" id="ref-for-dom-trustedtypepolicyoptions-createscripturl">createScriptURL</a></code> property value.</p>
<li data-md>
<p>Set <var>policy</var>’s <a data-link-type="dfn" href="#trustedtypepolicy-options" id="ref-for-trustedtypepolicy-options">options</a> value to <em>policyOptions</em>.</p>
<p>Set <var>policy</var>’s <a data-link-type="dfn" href="#trustedtypepolicy-options" id="ref-for-trustedtypepolicy-options">options</a> value to «[
"createHTML" -> <var>options</var>["<code class="idl"><a data-link-type="idl" href="#dom-trustedtypepolicyoptions-createhtml" id="ref-for-dom-trustedtypepolicyoptions-createhtml">createHTML</a></code>",
"createScript" -> <var>options</var>["<code class="idl"><a data-link-type="idl" href="#dom-trustedtypepolicyoptions-createscript" id="ref-for-dom-trustedtypepolicyoptions-createscript">createScript</a></code>",
"createScriptURL" -> <var>options</var>["<code class="idl"><a data-link-type="idl" href="#dom-trustedtypepolicyoptions-createscripturl" id="ref-for-dom-trustedtypepolicyoptions-createscripturl">createScriptURL</a></code>"
]».</p>
<li data-md>
<p>If the <var>policyName</var> is <code>default</code>, set the <var>factory</var>’s <a data-link-type="dfn" href="#trustedtypepolicyfactory-default-policy" id="ref-for-trustedtypepolicyfactory-default-policy②">default policy</a> value to <var>policy</var>.</p>
<li data-md>
Expand Down Expand Up @@ -2065,7 +2059,7 @@ <h3 class="heading settled" data-level="3.3" id="get-trusted-type-policy-value-a
<td>"TrustedScriptURL"
</table>
<li data-md>
<p>Let <var>function</var> be the value of the property in <var>policy</var>’s <a data-link-type="dfn" href="#trustedtypepolicy-options" id="ref-for-trustedtypepolicy-options①">options</a> named <var>functionName</var>.</p>
<p>Let <var>function</var> be <var>policy</var>’s <a data-link-type="dfn" href="#trustedtypepolicy-options" id="ref-for-trustedtypepolicy-options①">options</a>[<var>functionName</var>].</p>
<li data-md>
<p>If <var>function</var> is <code>null</code>, then:</p>
<ol>
Expand Down Expand Up @@ -2585,8 +2579,6 @@ <h4 class="heading settled" data-level="4.3.5" id="should-block-create-policy"><
<li data-md>
<p>Return <var>result</var>.</p>
</ol>
<h4 class="heading settled" data-level="4.3.6" id="csp-eval"><span class="secno">4.3.6. </span><span class="content">Support for dynamic code compilation</span><a class="self-link" href="#csp-eval"></a></h4>
<p class="note" role="note"><span class="marker">Note:</span> See <a href="https://github.com/w3c/webappsec-csp/pull/659">https://github.com/w3c/webappsec-csp/pull/659</a> which upstreams this integration.</p>
<h2 class="heading settled" data-level="5" id="security-considerations"><span class="secno">5. </span><span class="content">Security Considerations</span><a class="self-link" href="#security-considerations"></a></h2>
<p>Trusted Types are not intended to protect access to <a data-link-type="dfn" href="#injection-sink" id="ref-for-injection-sink②⑦">injection sinks</a> in an
actively malicious execution environment. It’s assumed that the application is
Expand Down Expand Up @@ -3775,10 +3767,10 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
window.dfnpanelData['trustedtypepolicy'] = {"dfnID": "trustedtypepolicy", "url": "#trustedtypepolicy", "dfnText": "TrustedTypePolicy", "refSections": [{"refs": [{"id": "ref-for-trustedtypepolicy"}], "title": "2.2.1. TrustedHTML"}, {"refs": [{"id": "ref-for-trustedtypepolicy\u2460"}], "title": "2.2.2. TrustedScript"}, {"refs": [{"id": "ref-for-trustedtypepolicy\u2461"}], "title": "2.2.3. TrustedScriptURL"}, {"refs": [{"id": "ref-for-trustedtypepolicy\u2462"}, {"id": "ref-for-trustedtypepolicy\u2463"}, {"id": "ref-for-trustedtypepolicy\u2464"}, {"id": "ref-for-trustedtypepolicy\u2465"}, {"id": "ref-for-trustedtypepolicy\u2466"}], "title": "2.3.1. TrustedTypePolicyFactory"}, {"refs": [{"id": "ref-for-trustedtypepolicy\u2467"}], "title": "2.3.2. TrustedTypePolicy"}, {"refs": [{"id": "ref-for-trustedtypepolicy\u2468"}], "title": "2.3.3. TrustedTypePolicyOptions"}, {"refs": [{"id": "ref-for-trustedtypepolicy\u2460\u24ea"}, {"id": "ref-for-trustedtypepolicy\u2460\u2460"}], "title": "3.1. Create a Trusted Type Policy"}, {"refs": [{"id": "ref-for-trustedtypepolicy\u2460\u2461"}], "title": "3.2. Create a Trusted Type"}, {"refs": [{"id": "ref-for-trustedtypepolicy\u2460\u2462"}], "title": "3.3. Get Trusted Type policy value"}, {"refs": [{"id": "ref-for-trustedtypepolicy\u2460\u2463"}], "title": "4.3.5. Should Trusted Type policy creation be blocked by Content Security Policy?"}], "external": false};
window.dfnpanelData['trustedtypepolicy-name'] = {"dfnID": "trustedtypepolicy-name", "url": "#trustedtypepolicy-name", "dfnText": "name", "refSections": [{"refs": [{"id": "ref-for-trustedtypepolicy-name"}], "title": "2.3.4. Default policy"}], "external": false};
window.dfnpanelData['trustedtypepolicy-options'] = {"dfnID": "trustedtypepolicy-options", "url": "#trustedtypepolicy-options", "dfnText": "options", "refSections": [{"refs": [{"id": "ref-for-trustedtypepolicy-options"}], "title": "3.1. Create a Trusted Type Policy"}, {"refs": [{"id": "ref-for-trustedtypepolicy-options\u2460"}], "title": "3.3. Get Trusted Type policy value"}], "external": false};
window.dfnpanelData['dom-trustedtypepolicy-createhtml'] = {"dfnID": "dom-trustedtypepolicy-createhtml", "url": "#dom-trustedtypepolicy-createhtml", "dfnText": "createHTML(input, ...arguments)", "refSections": [{"refs": [{"id": "ref-for-dom-trustedtypepolicy-createhtml"}], "title": "2.2.1. TrustedHTML"}, {"refs": [{"id": "ref-for-dom-trustedtypepolicy-createhtml\u2460"}], "title": "2.3.2. TrustedTypePolicy"}, {"refs": [{"id": "ref-for-dom-trustedtypepolicy-createhtml\u2461"}], "title": "3.1. Create a Trusted Type Policy"}], "external": false};
window.dfnpanelData['dom-trustedtypepolicy-createscript'] = {"dfnID": "dom-trustedtypepolicy-createscript", "url": "#dom-trustedtypepolicy-createscript", "dfnText": "createScript(input, ...arguments)", "refSections": [{"refs": [{"id": "ref-for-dom-trustedtypepolicy-createscript"}], "title": "2.2.2. TrustedScript"}, {"refs": [{"id": "ref-for-dom-trustedtypepolicy-createscript\u2460"}], "title": "2.3.2. TrustedTypePolicy"}, {"refs": [{"id": "ref-for-dom-trustedtypepolicy-createscript\u2461"}], "title": "3.1. Create a Trusted Type Policy"}], "external": false};
window.dfnpanelData['dom-trustedtypepolicy-createscripturl'] = {"dfnID": "dom-trustedtypepolicy-createscripturl", "url": "#dom-trustedtypepolicy-createscripturl", "dfnText": "createScriptURL(input, ...arguments)", "refSections": [{"refs": [{"id": "ref-for-dom-trustedtypepolicy-createscripturl"}], "title": "2.2.3. TrustedScriptURL"}, {"refs": [{"id": "ref-for-dom-trustedtypepolicy-createscripturl\u2460"}], "title": "2.3.2. TrustedTypePolicy"}, {"refs": [{"id": "ref-for-dom-trustedtypepolicy-createscripturl\u2461"}], "title": "3.1. Create a Trusted Type Policy"}], "external": false};
window.dfnpanelData['dictdef-trustedtypepolicyoptions'] = {"dfnID": "dictdef-trustedtypepolicyoptions", "url": "#dictdef-trustedtypepolicyoptions", "dfnText": "TrustedTypePolicyOptions", "refSections": [{"refs": [{"id": "ref-for-dictdef-trustedtypepolicyoptions"}, {"id": "ref-for-dictdef-trustedtypepolicyoptions\u2460"}], "title": "2.3.1. TrustedTypePolicyFactory"}, {"refs": [{"id": "ref-for-dictdef-trustedtypepolicyoptions\u2461"}], "title": "2.3.2. TrustedTypePolicy"}, {"refs": [{"id": "ref-for-dictdef-trustedtypepolicyoptions\u2462"}], "title": "2.3.3. TrustedTypePolicyOptions"}, {"refs": [{"id": "ref-for-dictdef-trustedtypepolicyoptions\u2463"}, {"id": "ref-for-dictdef-trustedtypepolicyoptions\u2464"}], "title": "3.1. Create a Trusted Type Policy"}], "external": false};
window.dfnpanelData['dom-trustedtypepolicy-createhtml'] = {"dfnID": "dom-trustedtypepolicy-createhtml", "url": "#dom-trustedtypepolicy-createhtml", "dfnText": "createHTML(input, ...arguments)", "refSections": [{"refs": [{"id": "ref-for-dom-trustedtypepolicy-createhtml"}], "title": "2.2.1. TrustedHTML"}, {"refs": [{"id": "ref-for-dom-trustedtypepolicy-createhtml\u2460"}], "title": "2.3.2. TrustedTypePolicy"}], "external": false};
window.dfnpanelData['dom-trustedtypepolicy-createscript'] = {"dfnID": "dom-trustedtypepolicy-createscript", "url": "#dom-trustedtypepolicy-createscript", "dfnText": "createScript(input, ...arguments)", "refSections": [{"refs": [{"id": "ref-for-dom-trustedtypepolicy-createscript"}], "title": "2.2.2. TrustedScript"}, {"refs": [{"id": "ref-for-dom-trustedtypepolicy-createscript\u2460"}], "title": "2.3.2. TrustedTypePolicy"}], "external": false};
window.dfnpanelData['dom-trustedtypepolicy-createscripturl'] = {"dfnID": "dom-trustedtypepolicy-createscripturl", "url": "#dom-trustedtypepolicy-createscripturl", "dfnText": "createScriptURL(input, ...arguments)", "refSections": [{"refs": [{"id": "ref-for-dom-trustedtypepolicy-createscripturl"}], "title": "2.2.3. TrustedScriptURL"}, {"refs": [{"id": "ref-for-dom-trustedtypepolicy-createscripturl\u2460"}], "title": "2.3.2. TrustedTypePolicy"}], "external": false};
window.dfnpanelData['dictdef-trustedtypepolicyoptions'] = {"dfnID": "dictdef-trustedtypepolicyoptions", "url": "#dictdef-trustedtypepolicyoptions", "dfnText": "TrustedTypePolicyOptions", "refSections": [{"refs": [{"id": "ref-for-dictdef-trustedtypepolicyoptions"}, {"id": "ref-for-dictdef-trustedtypepolicyoptions\u2460"}], "title": "2.3.1. TrustedTypePolicyFactory"}, {"refs": [{"id": "ref-for-dictdef-trustedtypepolicyoptions\u2461"}], "title": "2.3.2. TrustedTypePolicy"}, {"refs": [{"id": "ref-for-dictdef-trustedtypepolicyoptions\u2462"}], "title": "2.3.3. TrustedTypePolicyOptions"}, {"refs": [{"id": "ref-for-dictdef-trustedtypepolicyoptions\u2463"}], "title": "3.1. Create a Trusted Type Policy"}], "external": false};
window.dfnpanelData['dom-trustedtypepolicyoptions-createhtml'] = {"dfnID": "dom-trustedtypepolicyoptions-createhtml", "url": "#dom-trustedtypepolicyoptions-createhtml", "dfnText": "createHTML", "refSections": [{"refs": [{"id": "ref-for-dom-trustedtypepolicyoptions-createhtml"}], "title": "3.1. Create a Trusted Type Policy"}], "external": false};
window.dfnpanelData['dom-trustedtypepolicyoptions-createscript'] = {"dfnID": "dom-trustedtypepolicyoptions-createscript", "url": "#dom-trustedtypepolicyoptions-createscript", "dfnText": "createScript", "refSections": [{"refs": [{"id": "ref-for-dom-trustedtypepolicyoptions-createscript"}], "title": "3.1. Create a Trusted Type Policy"}], "external": false};
window.dfnpanelData['dom-trustedtypepolicyoptions-createscripturl'] = {"dfnID": "dom-trustedtypepolicyoptions-createscripturl", "url": "#dom-trustedtypepolicyoptions-createscripturl", "dfnText": "createScriptURL", "refSections": [{"refs": [{"id": "ref-for-dom-trustedtypepolicyoptions-createscripturl"}], "title": "3.1. Create a Trusted Type Policy"}], "external": false};
Expand Down

0 comments on commit 24bd116

Please sign in to comment.