Update handling of timer functions

w3c / trusted-types

A browser API to prevent DOM-Based Cross Site Scripting in modern web applications.

https://w3c.github.io/trusted-types/dist/spec/

Other

586 stars 68 forks source link

Update handling of timer functions #481

Closed lukewarlow closed 3 months ago

lukewarlow commented 3 months ago

Fixes #480

This effectively follows the Chromium implementation, we use the StringContext attribute to do the enforcement for setTimeout and setInterval and then update the HostEnsureCanCompileStrings call (which now actually calls the CSP function directly) accordingly.

We then update EnsureCSPDoesNotBlockStringCompilation to only do TT validation for eval and Function, not timers.

Preview | Diff

lukewarlow commented 3 months ago

@otherdaniel you implemented this functionality in Chromium iirc would you be able to take a quick look over this PR to sanity check it?

lukewarlow commented 3 months ago

Based on @otherdaniel review I'm going to go ahead and merge this