fix(ses): Lockdown under no-unsafe-eval Content-Security-Policy #1360
Conversation
|
cc @Jack-Works. I’m leaving this in draft because it does not address your concern about Lockdown generating excessive warnings. But, this should subsume all of #1333. I have not rigorously accounted for @mhofman’s concerns in #903. Posted as draft to show progress. |
kriskowal
force-pushed
the
kris-no-eval
branch
from
05f1c8f to
c6506a3
Compare
| // eslint-disable-next-line @endo/no-polymorphic-call | ||
| FERAL_FUNCTION.prototype.constructor('return 1'); | ||
| } catch (ignore) { | ||
| FERAL_EVAL(''); |
There was a problem hiding this comment.
Don't we also need to test that FERAL_FUNCTION works to make sure the make-evaluator succeeds?
| ), | ||
| constructor => { | ||
| try { | ||
| constructor(''); |
There was a problem hiding this comment.
I may be paranoid, but wouldn't there technically be a way to bypass this by allowing the "empty" / null sha in CSP?
I guess it'd really be the embedder shooting itself in the foot in that case.
| // eslint-disable-next-line no-empty-function | ||
| async function unsafeAsyncFunction() {}, | ||
| // eslint-disable-next-line no-empty-function | ||
| async function* unsafeAsyncGeneratorFunction() {}, |
There was a problem hiding this comment.
Do these actually throw synchronously on CSP violation ?
|
This remains in draft because we need to reframe the solution in terms of a lockdown option that expressly avoids any spelling of cc @erights |
This change adds a test that verifies that Lockdown runs to completion even in the absence of a usable evaluator.