Open twschiller opened 3 years ago
I'd like to use SES (Secure ECMAScript) for this job. An implementation here https://github.com/endojs/endo/tree/master/packages/ses but it requires eval
which is banned in the manifest V3
I'd like to use LavaMoat (based on SES) to help limit risk of supplychain attacks
I'd like to use LavaMoat (based on SES) to help limit risk of supplychain attacks
I like it too, but I'm worried about eval
will be restricted (which is required to implement SES for now) on manifest V3. I don't know if we can have things like Trusted Types to make SES work with strict CSP.
Context/Background
Template engines (e.g., Mustache, Handlebars, Nunjucks, jq) are valuable for providing end-user customization without code.
However, template engines pose a security risk when used with user-defined templates (e.g., XSS and prototype pollution)
Request
Design Considerations
Prior Art:
sandbox
: https://developer.chrome.com/docs/extensions/mv2/manifest/sandbox/sandbox
: https://developer.chrome.com/docs/extensions/mv3/manifest/sandbox/user_scripts
: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/user_scriptsRelated Information: