Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSP: make available a reliable method for obtaining a reference to the global object #2

Closed
mikewest opened this issue Oct 7, 2015 · 6 comments

Comments

@mikewest
Copy link
Member

mikewest commented Oct 7, 2015

From @michaelficarra on October 6, 2015 23:38

At times, it is necessary to obtain a reference to the global object. In different environments, this object has non-standard, writable self-references: global in node, window in certain browser contexts, self in other browser contexts, etc. It is not a good practice to rely upon these references. For this reason, a particular pattern using the Function constructor is the only reliable method (of which I'm aware) for obtaining a reference to the global object in any context (strict/sloppy mode, module/script).

var honestToGodGlobalObject = Function("return this")();

Because this is a use of the Function constructor, CSP does not allow this pattern without adding 'unsafe-eval' to my policy. How can we make an exception to allow this pattern or something equivalent?

Copied from original issue: w3c/webappsec#501

@mikewest
Copy link
Member Author

mikewest commented Oct 7, 2015

From @hillbrad on October 6, 2015 23:39

Is this an ECMAScript issue?

On Tue, Oct 6, 2015 at 4:38 PM Michael Ficarra notifications@github.com
wrote:

At times, it is necessary to obtain a reference to the global object. In
different environments, this object has non-standard, writable
self-references: global in node, window in certain browser contexts, self
in other browser contexts, etc. It is not a good practice to rely upon
these references. For this reason, a particular pattern using the Function
constructor is the only reliable method (of which I'm aware) for obtaining
a reference to the global object in any context (strict/sloppy mode,
module/script).

var honestToGodGlobalObject = Function("return this")();

Because this is a use of the Function constructor, CSP does not allow
this pattern without adding 'unsafe-eval' to my policy. How can we make
an exception to allow this pattern or something equivalent?


Reply to this email directly or view it on GitHub
w3c/webappsec#501.

@mikewest
Copy link
Member Author

mikewest commented Oct 7, 2015

From @michaelficarra on October 7, 2015 0:10

It could be solved from the ECMAScript side, but there's little hope of that happening. All I ask is that this particular pattern (or the (0, eval)("this") equivalent mentioned in the linked thread) be allowed because of its uncontested utility.

@mikewest
Copy link
Member Author

mikewest commented Oct 7, 2015

If JavaScript isn't giving you the thing you need in a consistent way, I think you'll need to poke at JavaScript to solve your problem. :( In fact, it's entirely possible that folks would use CSP specifically to prevent you from grabbing access to the global object as part of a larger sandboxing mechanism. I don't think there's much value in carving out loopholes.

More practically, I don't think there's a good way to distinguish "safe" usage of Function or eval from non-safe usage. What you want is a well-defined global reference, not a pile of hacks.

@michaelficarra
Copy link
Contributor

That's a totally reasonable position to have. It just doesn't appear that either side is willing to budge on this one, and legitimate use cases are stuck in limbo until something changes.

@michaelficarra
Copy link
Contributor

FYI, there is now a stage 1 ECMA-262 proposal for exactly this. It has strong committee support. https://github.com/tc39/proposal-global

@mikewest
Copy link
Member Author

mikewest commented May 9, 2017

Closing this out in favor of the JavaScript-side global proposal, which looks to be moving along (at stage 3 right now).

@mikewest mikewest closed this as completed May 9, 2017
ArthurSonzogni added a commit to ArthurSonzogni/webappsec-csp that referenced this issue Nov 16, 2021
ArthurSonzogni added a commit that referenced this issue Nov 22, 2021
* Introduce "Strip URL for use in reports".

Omit informations from URLs in reports for:
- `blockedURI`
- `document-uri`
- `referrer`
- `source-file`

This is the defactor standard implemented in:
- [Chrome] with `StripURLForUseInReports(...)`
- [Firefox] with `StripURIForReporting(...)`
- [Safari] with `deprecatedURLForReporting(...)`

The 3 implementations differ slightly. This patch proposes following
[Chrome's patch], which help resolve this [user's need].

See also related [firefox issue] and [webappsec-csp issue].

[Chrome]: https://source.chromium.org/search?q=StripURLForUseInReport
[Firefox]: https://searchfox.org/mozilla-central/search?q=StripURIForReporting
[Safari]: https://github.com/WebKit/WebKit/blob/eea907e63be4676ad5cc56cabe4d00edf109b398/Source/WebCore/page/csp/ContentSecurityPolicy.cpp#L716
[Chrome's patch]: https://chromium-review.googlesource.com/c/chromium/src/+/3263879
[user's need]: https://bugs.chromium.org/p/chromium/issues/detail?id=1264789
[firefox issue]: https://bugzilla.mozilla.org/show_bug.cgi?id=1705523
[webappsec-csp issue]: #489

* Apply suggestions from annevk@ review #1

Co-authored-by: Anne van Kesteren <annevk@annevk.nl>

* Address annevk@ comments #2

* Address @annevk comments.

* Nit

* Switch toward an allowlist

* Remove wss/ws/ftp

* Update index.bs

Co-authored-by: Anne van Kesteren <annevk@annevk.nl>

Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants