TC39 Delegates
2024-05-28
plaintext logs
prev next
source on github
16:04
<Michael Ficarra>
wait so we've done all this trust types work and we don't even know if the CSP folks want to use it yet? https://github.com/w3c/webappsec-csp/pull/665
17:27
<littledan>
wait so we've done all this trust types work and we don't even know if the CSP folks want to use it yet? https://github.com/w3c/webappsec-csp/pull/665
What do you mean, we don't know if CSP folks want to use it?
17:27
<littledan>
I think we want to be in the middle of the spec process, not just consulted at the end
17:28
<littledan>
this stuff is pretty important for security, so it makes sense that we spend time on it
17:28
<Michael Ficarra>
This new keyword allows enabling eval only when trusted types are enforced. Such that in browsers that don't support trusted types no eval is allowed, unlike with unsafe-eval. This is a draft PR to gather feedback on this idea, this concept was brought up at previous WebAppSec WG meetings.
17:29
<Michael Ficarra>
it makes it sound like we don't even know if CSP wants the feature, yet we've already done a bunch of work in our spec
17:29
<Michael Ficarra>
the requests for a position from Mozilla/Webkit were opened today
17:29
<Michael Ficarra>
don't you think we should've gotten that buy-in earlier?
17:30
<littledan>
yeah IMO it's OK for us to delay landing these kinds of patches until those standards positions happen, but in general TT has been developed together with those two groups, conversations are ongoing and we should be part of them during, not afterwards
17:30
<littledan>
we could get consensus on the patch in advance and land it once we really know that it will be useful for them
17:32
<littledan>
the issue tracker clearly shows people from Mozilla and WebKit actively involved in these issues. The standards position is for sort of broadening outreach and finalizing a conclusion
17:45
<Justin Ridgewell>
wait so we've done all this trust types work and we don't even know if the CSP folks want to use it yet? https://github.com/w3c/webappsec-csp/pull/665
It reads to me that this isn’t necessary for TT, it just makes enabling it more secure for legacy browsers that don’t support TT.
17:49
<nicolo-ribaudo>

Exactly -- if you use unsafe-eval with TT, browsers that know about TT will only allow TT to be used in eval(), and reject random strings. In older browsers, it will fallback to the previous unsafe-eval behavior. This has already buy-in as part of the original TT.

The new standard position request is to allow using trusted-eval as an alternative to unsafe-eval, so that the fallback in old browsers can be "block everything" rather than "allow everything"

17:53
<Michael Ficarra>
thanks for the explanation @nicolo-ribaudo