Provide hooks for Content Security Policy (CSP) #450
Comments
|
@Ms2ger This is not the place for these discussions. Please email es-discuss. |
|
This is 100% the place for this "discussion". |
|
I will work on a pull request for this today. |
|
Some historical context: https://bugs.ecmascript.org/show_bug.cgi?id=2494. |
|
@domenic As I understand it, this repo is for concrete proposals and bug fixes. Not an open-ended discussion. |
|
Yes, this is a concrete bugfix to match implementations. No discussion is needed. |
WHAT? Such notions have not previously been part of EcmaScript. I understand why they probably should be, but this is absolutely a substantive discussion, not a bug fix. |
|
This is like the other host hooks. It's already implemented everywhere, too. It has no normative consequences, only layering ones. There's no need for discussion; the proper place for discussion if you wanted to change the behavior was in the webappsec working group. |
|
This was also resolved to be a trivial change in https://bugs.ecmascript.org/show_bug.cgi?id=2494 and desired for inclusion in the spec. Allen says there are enough hooks already but they aren't very explicit, if they exist. (I guess he is referring to hooking into the creation of new execution contexts.) |
|
@Ms2ger Out of respect to those readers (like me) who don't have the necessary context, please take the time to write a full description with appropriate links when creating an issue like this. |
|
Added some more background to the summary. I may have mistakenly assumed that a search engine of your choice would have been able to find sufficient context. |
|
@Ms2ger Awesome, but I'm curious what's with all the terseness and snark? |
|
It probably has something to do with this contributor's first welcome to the tc39 github repo being told to go away in a terse and snarky way. |
|
Ah, that would do it. Well, chalk it up to a misunderstanding, and good to have you here, @Ms2ger ! |
|
Yes @Ms2ger , welcome! |
The hook is step 11 of [InitializeHostDefineRealm()]](http://tc39.github.io/ecma262/#sec-initializehostdefinedrealm)
Arguably this might be better worded as:
to cover the cases of In addition, the following paragraph should be added to Clause 16
All the other details should be left to the CSPspec. |
|
Thanks Allen. I'd rather add specific restricted and explicit hooks as in #451 (which e.g. clarifies which steps in which algorithms, including direct eval, are affected) rather than use those kind of blanket permissions. |
|
I agree that a hook for direct eval is needed. I think the right place to put it is in PerformEval rather than at the call sites to PerformEval. I don't think need a "hook" operation like HostEnsureCompileStrings is need. A prose line in PerformEval is more readable and can be as specific as you want to make it. |
|
I think a hook operation is more precise and clearer for host environments (both implementations and specs). It certainly maps better to the existing open source engines. We can let the editor decide. PerformEval is not sufficient since we need both the calleeRealm and the callerRealm to match web reality. |
In particular, CSP wants to do something to
eval()andnew Function().http://w3c.github.io/webappsec-csp/ is a specification implemented in web browsers that provides a feature that makes
eval()andnew Function()no-ops. Currently it uses very hand-wavy prose for that. I believe it is better for the definition of those features to acknowledge that feature, to ensure that the expected result is well-defined.The text was updated successfully, but these errors were encountered: