Re: [whatwg/webidl] Add `{{StringContext}}` extended attribute (PR #1392) from Anne van Kesteren on 2024-04-04 (public-webapps-github@w3.org from April 2024)

From: Anne van Kesteren <notifications@github.com>
Date: Thu, 04 Apr 2024 02:44:41 -0700
To: whatwg/webidl <webidl@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/webidl/pull/1392/review/1979344378@github.com>

@annevk commented on this pull request.



> @@ -11056,6 +11091,21 @@ allowed.  The security check takes the following three inputs:
 
 Note: The HTML Standard defines how a security check is performed. [[!HTML]]
 
+Certain algorithms are defined to
+<dfn id="dfn-validate-the-string-in-context" export>validate the string in context</dfn> on a given
+value. This check is used to determine whether a given value
+is appropriate for its {{StringContext}}. This validation takes the following four inputs:
+
+1.  the [=platform object=] on
+    which the operation invocation or attribute access is being done,
+1.  the value to validate,
+1.  the {{StringContext}} [=identifier=], and
+1.  the [=identifier=] of the operation or attribute.
+
+The algorithm returns an ECMAScript value, or [=JavaScript/throws=] a <l spec=ecmascript>{{TypeError}}</l>.
+
+Note: The HTML Standard defines how the validation is performed. [[!HTML]]

The string can also be modified, right? It says it returns an ECMAScript value, but doesn't it really return a string?

I think "verify" is okay. I guess in theory we want this to be able to be used for non-Trusted Types purposes.

There's various things that matter with respect to timing:

1. Does it all happen at the correct point in time relative to other exceptions that may be thrown. I.e., do implementations handle the checks in the correct order.
2. What further side effects may arise from this check happening. It seems that https://w3c.github.io/webappsec-csp/#report-violation always queues a task so we don't have to worry about that for CSP. And I think we don't have to worry in the general case because this happens before any specification algorithms are involved. Although if we add more of these utilities around the edges of IDL we'll run into conflicts at some point of course.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/webidl/pull/1392#discussion_r1551349772
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/webidl/pull/1392/review/1979344378@github.com>

Received on Thursday, 4 April 2024 09:44:45 UTC