-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP: make available a reliable method for obtaining a reference to the global object #2
Comments
From @hillbrad on October 6, 2015 23:39 Is this an ECMAScript issue? On Tue, Oct 6, 2015 at 4:38 PM Michael Ficarra notifications@github.com
|
From @michaelficarra on October 7, 2015 0:10 It could be solved from the ECMAScript side, but there's little hope of that happening. All I ask is that this particular pattern (or the |
If JavaScript isn't giving you the thing you need in a consistent way, I think you'll need to poke at JavaScript to solve your problem. :( In fact, it's entirely possible that folks would use CSP specifically to prevent you from grabbing access to the global object as part of a larger sandboxing mechanism. I don't think there's much value in carving out loopholes. More practically, I don't think there's a good way to distinguish "safe" usage of |
That's a totally reasonable position to have. It just doesn't appear that either side is willing to budge on this one, and legitimate use cases are stuck in limbo until something changes. |
FYI, there is now a stage 1 ECMA-262 proposal for exactly this. It has strong committee support. https://github.com/tc39/proposal-global |
Closing this out in favor of the JavaScript-side |
* Introduce "Strip URL for use in reports". Omit informations from URLs in reports for: - `blockedURI` - `document-uri` - `referrer` - `source-file` This is the defactor standard implemented in: - [Chrome] with `StripURLForUseInReports(...)` - [Firefox] with `StripURIForReporting(...)` - [Safari] with `deprecatedURLForReporting(...)` The 3 implementations differ slightly. This patch proposes following [Chrome's patch], which help resolve this [user's need]. See also related [firefox issue] and [webappsec-csp issue]. [Chrome]: https://source.chromium.org/search?q=StripURLForUseInReport [Firefox]: https://searchfox.org/mozilla-central/search?q=StripURIForReporting [Safari]: https://github.com/WebKit/WebKit/blob/eea907e63be4676ad5cc56cabe4d00edf109b398/Source/WebCore/page/csp/ContentSecurityPolicy.cpp#L716 [Chrome's patch]: https://chromium-review.googlesource.com/c/chromium/src/+/3263879 [user's need]: https://bugs.chromium.org/p/chromium/issues/detail?id=1264789 [firefox issue]: https://bugzilla.mozilla.org/show_bug.cgi?id=1705523 [webappsec-csp issue]: #489 * Apply suggestions from annevk@ review #1 Co-authored-by: Anne van Kesteren <annevk@annevk.nl> * Address annevk@ comments #2 * Address @annevk comments. * Nit * Switch toward an allowlist * Remove wss/ws/ftp * Update index.bs Co-authored-by: Anne van Kesteren <annevk@annevk.nl> Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
From @michaelficarra on October 6, 2015 23:38
At times, it is necessary to obtain a reference to the global object. In different environments, this object has non-standard, writable self-references:
global
in node,window
in certain browser contexts,self
in other browser contexts, etc. It is not a good practice to rely upon these references. For this reason, a particular pattern using theFunction
constructor is the only reliable method (of which I'm aware) for obtaining a reference to the global object in any context (strict/sloppy mode, module/script).Because this is a use of the
Function
constructor, CSP does not allow this pattern without adding'unsafe-eval'
to my policy. How can we make an exception to allow this pattern or something equivalent?Copied from original issue: w3c/webappsec#501
The text was updated successfully, but these errors were encountered: