lukewarlow
commented
3 months ago See https://github.com/mozilla/standards-positions/issues/20 for the original position on Trusted Types as a whole which is Positive from mozilla.
Closed lukewarlow closed 1 month ago
lukewarlow
commented
3 months ago See https://github.com/mozilla/standards-positions/issues/20 for the original position on Trusted Types as a whole which is Positive from mozilla.
mozfreddyb
commented
1 month ago While having to use eval is a generally unfortunate thing, we acknowledge that some websites have painted themselves into a corner such that it's better to use eval only on trusted things rather than all kinds of eval.
There was a slight concern that "trusted..." sounds like a safe thing to do, when it is in fact only a pointer that the check should have been applied elsewhere. But that's pretty much aligned with the general understanding of trust in computer security, so we're OK. Generally, we're happy that this requires a trusted-types directive to be in effect to do anything and has sane back-compat story.
My apologies for not circling back earlier here. After a discussion with our CSP folks internally, I suggest we mark this positive (but without an individual entry in our dashboard, because the change is a bit minor).
Request for Mozilla Position on an Emerging Web Specification
@-mention GitHub accounts): @lukewarlowOther information
This proposes a new
trusted-types-evalkeyword for the CSP script-src directive. The main use case for this new keyword is to allow enabling eval only in browsers that support and have Trusted Types enforced. Currently trusted types is used alongsideunsafe-eval(if you need eval), which means that in browsers with no trusted types support eval is still allowed (completely unmitigated by the protections TT offer). This new keyword would prevent that situation.