trusted-types icon indicating copy to clipboard operation
trusted-types copied to clipboard

Published 20 hours ago verified publisher icon w3c

Function constructor and default policy

Open lukewarlow opened this issue 1 year ago • 3 comments
trafficstars

Follow up from #445

Currently the default policy gets "(function(foo\n) { \nbody\n})" or something along those lines aka a compiled function string. This requires that we pass through the fully compiled string to the default policy. This I suspect isn't very useful in practice, Ecmascript actually passes the host language the body and individual parameter arguments though. So we could provide those to the default policy instead of or in addition to the compiled string?

lukewarlow avatar Feb 26 '24 17:02 lukewarlow

If we ignored the compat risk and I'm not sure if it's possible but ideally we could mutate the parameter list argument and the return from the default policy in this case would just be the modified body?

That way you can modify the function properly without needing to de or reconstruct function strings?

This would simplify the https://tc39.es/proposal-dynamic-code-brand-checks/ change as we wouldn't need the compiled string passed into it. So the change would be making it return a value and the code like checks.

lukewarlow avatar Feb 26 '24 17:02 lukewarlow

cc @koto @otherdaniel

Unfortunately we're potentially limited on changes we can make due to Chrome already shipping Function constructor default policy handling which requires the compiled string. And returning the fully compiled string from the default policy too.

We can definitely at least provide the parameter list and body string as separate arguments additionally though.

A large part of this will depend on what we envisage the usage of Function() with the default policy to actually look like? Is it likely to actually need to modify the value? Or is it more likely to just be a gate where if it's an unexpected value we just abort?

lukewarlow avatar Feb 26 '24 17:02 lukewarlow

[...] what we envisage the usage of Function() with the default policy to actually look like? Is it likely to actually need to modify the value? Or is it more likely to just be a gate where if it's an unexpected value we just abort?

The latter, when designing this we assumed parsing untrusted Javascript in order to "sanitize" it would be quite niche. Pretty much the only reason why a default policy accepts a TrustedScript and can change it, was to make its behavior similar to the one for other types.

koto avatar Feb 26 '24 17:02 koto

CLosing this for now, we can reopen a more dedicated issue regarding giving the default policy more useful information in this case in future if we feel it warranted.

lukewarlow avatar Mar 27 '24 15:03 lukewarlow