Add `trusted-types-eval` source expression for `script-src`

lukewarlow commented 5 months ago

This new keyword allows enabling eval only when trusted types are enforced. Such that in browsers that don't support trusted types no eval is allowed, unlike with unsafe-eval. This concept was brought up at previous WebAppSec WG meetings.

Implementor Interest:

[x] Mozilla (see https://github.com/mozilla/standards-positions/issues/1032)
[ ] WebKit (see https://github.com/WebKit/standards-positions/issues/355)
[ ] Chromium - Not sure how best to get an official Google position but Lukas is supportive per https://github.com/WebKit/standards-positions/issues/355#issuecomment-2294149279

Preview | Diff

lukewarlow commented 5 months ago

cc @otherdaniel @koto to gather Google feedback.

Mozilla Position Request: https://github.com/mozilla/standards-positions/issues/1032

WebKit Position Request: https://github.com/WebKit/standards-positions/issues/355

lukewarlow commented 2 months ago

@mikewest if you've got time it'd be brilliant to get an editorial review of this too. Still waiting on some browser positions so won't merge yet.

w3c / webappsec-csp

Add `trusted-types-eval` source expression for `script-src` #665