Minimal specification of 'wasm-unsafe-eval' source directive #293
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -140,6 +140,21 @@ spec: INFRA; urlPrefix: https://infra.spec.whatwg.org/ | |
| type: grammar | ||
| text: ASCII whitespace; url: ascii-whitespace | ||
| text: INFRA; url: # | ||
|
|
||
| spec: WebAssembly-js-api; urlPrefix: https://webassembly.github.io/spec/js-api/ | ||
| type: method | ||
| text: new WebAssembly.Module(); url: #dom-module-module | ||
| text: WebAssembly.compile(); url: #dom-webassembly-compile | ||
| text: WebAssembly.instantiate(); url: #dom-webassembly-instantiate | ||
| text: HostEnsureCanCompileWasmBytes(); url:#dom-host-ensure-can-compile-wasm-bytes | ||
|
|
||
| spec: WebAssembly-web-api-api; urlPrefix: https://webassembly.github.io/spec/web-api/ | ||
| type: method | ||
| text: WebAssembly.compileStreaming(); url: #dom-webassembly-compilestreaming | ||
| text: WebAssembly.instantiateStreaming(); url: #dom-webassembly-instantiatestreaming | ||
| type: exception | ||
| text: WebAssembly.CompileError; url: #exceptiondef-compileerror | ||
|
|
||
| </pre> | ||
| <pre class="biblio"> | ||
| { | ||
|
|
@@ -665,6 +680,7 @@ spec: INFRA; urlPrefix: https://infra.spec.whatwg.org/ | |
| <dfn>keyword-source</dfn> = "<dfn>'self'</dfn>" / "<dfn>'unsafe-inline'</dfn>" / "<dfn>'unsafe-eval'</dfn>" | ||
| / "<dfn>'strict-dynamic'</dfn>" / "<dfn>'unsafe-hashes'</dfn>" / | ||
| / "<dfn>'report-sample'</dfn>" / "<dfn>'unsafe-allow-redirects'</dfn>" | ||
| / "<dfn>'wasm-unsafe-eval'</dfn>" | ||
|
|
||
| ISSUE: Bikeshed `unsafe-allow-redirects`. | ||
|
|
||
|
|
@@ -878,10 +894,11 @@ spec: INFRA; urlPrefix: https://infra.spec.whatwg.org/ | |
| The `Content-Security-Policy-Report-Only` HTTP Response Header Field | ||
| </h3> | ||
|
|
||
| The <dfn export id="header-content-security-policy-report-only" | ||
| http-header>`Content-Security-Policy-Report-Only`</dfn> HTTP response header | ||
| field allows web developers to experiment with policies by monitoring (but not | ||
| enforcing) their effects. The header's value is represented by the following | ||
| ABNF [[!RFC5234]]: | ||
|
|
||
| <pre> | ||
| Content-Security-Policy-Report-Only = 1#<a grammar>serialized-policy</a> | ||
|
|
@@ -1418,8 +1435,62 @@ spec: INFRA; urlPrefix: https://infra.spec.whatwg.org/ | |
| ISSUE(tc39/ecma262#938): {{HostEnsureCanCompileStrings()}} does not include the string which is | ||
| going to be compiled as a parameter. We'll also need to update HTML to pipe that value through | ||
| to CSP. | ||
|
|
||
| <h3 id="wasm-integration">Integration with WebAssembly</h3> | ||
|
|
||
| WebAssembly defines the {{HostEnsureCanCompileWasmBytes()}} abstract operation | ||
| which allows the host environment to block the compilation of WebAssembly | ||
| sources into executable code. This document defines an implementation of this | ||
| abstract operation which examines the relevant <a for="global object">CSP | ||
| list</a> to determine whether such compilation ought to be blocked. | ||
|
|
||
| <h4 id="can-compile-wasm-bytes" algorithm dfn> | ||
| EnsureCSPDoesNotBlockWasmByteCompilation(|callerRealm|, |calleeRealm|, |bytes|) | ||
| </h4> | ||
|
|
||
| Given two <a>realms</a> (|callerRealm| and |calleeRealm|), and (|bytes|), | ||
|
There was a problem hiding this comment. You should specify the type of |bytes| (I guess its a byte sequence) There was a problem hiding this comment. The actual algorithm does not mention the byte sequence. Thinking about that more, I believe that it cannot in typical realistic scenarios. (The policy is about whether wasm is allowed, not this particular wasm module). |
||
| this algorithm returns normally if compilation is allowed, and throws a | ||
| {{WebAssembly.CompileError}} if not: | ||
|
|
||
| 1. Let |globals| be a list containing |callerRealm|'s [=Realm/global object=] and |calleeRealm|'s | ||
| [=Realm/global object=]. | ||
|
|
||
| 2. For each |global| in |globals|: | ||
|
|
||
| 1. Let |result| be "`Allowed`". | ||
|
|
||
| 2. For each |policy| in |global|'s [=global object/CSP list=]: | ||
|
|
||
| 1. Let |source-list| be `null`. | ||
|
|
||
| 2. If |policy| contains a [=directive=] whose [=directive/name=] is "`script-src`", then | ||
| set |source-list| to that [=directive=]'s [=directive/value=]. | ||
|
|
||
| Otherwise if |policy| contains a [=directive=] whose [=directive/name=] is | ||
| "`default-src`", then set |source-list| to that directive's [=directive/value=]. | ||
|
|
||
| 3. If |source-list| is non-`null`, and does not contain a [=source expression=] which is | ||
| an [=ASCII case-insensitive=] match for the string "<a grammar>`'wasm-unsafe-eval'`</a>", | ||
antosart marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| then: | ||
|
|
||
| 1. Let |violation| be the result of executing [[#create-violation-for-global]] on | ||
| |global|, |policy|, and "`script-src`". | ||
|
|
||
| 2. Set |violation|'s [=violation/resource=] to "`inline`". | ||
antosart marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| 3. If |source-list| [=list/contains=] the expression | ||
| "<a grammar>`'report-sample'`</a>", then set |violation|'s [=violation/sample=] to | ||
| a string consisting of the first 40 bytes of |bytes| encoded using [=base64 encoding=]. | ||
|
|
||
| 4. Execute [[#report-violation]] on |violation|. | ||
|
|
||
| 5. If |policy|'s [=policy/disposition=] is "`enforce`", then set |result| to | ||
| "`Blocked`". | ||
|
|
||
| 3. If |result| is "`Blocked`", throw a {{WebAssembly.CompileError}} exception. | ||
|
|
||
| </section> | ||
|
|
||
| <!-- Big Text: Reporting --> | ||
| <section> | ||
| <h2 id="reporting"> | ||
|
|
@@ -2657,7 +2728,7 @@ spec: INFRA; urlPrefix: https://infra.spec.whatwg.org/ | |
| as in most situations there is no particular reason to have separate lists of | ||
| permissions for inline event handlers and <{script}> elements. | ||
|
|
||
| The `script-src` directive governs seven things: | ||
|
|
||
|
|
||
| 1. Script <a for="/">requests</a> MUST pass through [[#should-block-request]]. | ||
|
|
||
|
|
@@ -2684,7 +2755,17 @@ spec: INFRA; urlPrefix: https://infra.spec.whatwg.org/ | |
| and <a>`script-src-elem`</a> are not used when performing this check, instead | ||
| `script-src` (or it's fallback directive) is always used. | ||
|
|
||
| 5. The following WebAssembly execution sinks are gated on the "`wasm-unsafe-eval`" | ||
| source expression: | ||
|
|
||
| * {{new WebAssembly.Module()}} | ||
antosart marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| * {{WebAssembly.compile()}} | ||
| * {{WebAssembly.compileStreaming()}} | ||
| * {{WebAssembly.instantiate()}} | ||
| * {{WebAssembly.instantiateStreaming()}} | ||
|
|
||
| 6. Navigation to `javascript:` URLs MUST pass through [[#should-block-inline]]. Such navigations | ||
| will only execute script if every policy allows inline script, as per #3 above. | ||
|
|
||
| <h5 algorithm id="script-src-pre-request"> | ||
| `script-src` Pre-request check | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: it doesn't seem like anything actually changed here so it would probably be better to undo this change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I changed this because the existing line length was over 100 characters. Ok with not doing that though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd prefer if editorial changes happened in their own commit. Makes using blame easier.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 to this