trusted-types
trusted-types copied to clipboard
Clarify interaction between unsafe-eval and TrustedScript.
@lweichselbaum @koto
Per https://twitter.com/we1x/status/1113340867409076224 since TT with eval
/Function
guards provides similar protection to CSP without unsafe eval, maybe it's worth clarifying how an application might provide degraded service when TT is not available but take advantage of TT where it is.
Should a CSP policy without unsafe-eval
prevent eval(myTrustedScriptValue)
?
I'm leaning no since unsafe-eval
in a CSP header can't be contingent on trusted-types being supported.
If unsafe-eval
is present, does trusted-types guard eval(x)
/Function(x)
/import(...)
at all?
Similarly for wasm-unsafe-eval
?