TrustedTypes: Function() constructor + eval() #42462
Conversation
hamishwillee
requested review from
Josh-Cena and
wbamberg
and removed request for
a team
github-actions
bot
added
Content:JS
|
Preview URLs
(comment last updated: 2026-01-08 23:23:36) |
hamishwillee
changed the title
hamishwillee
force-pushed
the
tt_function
branch
from
4b0a849 to
002ac96
Compare
files/en-us/web/javascript/reference/global_objects/eval/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/javascript/reference/global_objects/eval/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/javascript/reference/global_objects/eval/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/javascript/reference/global_objects/eval/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/javascript/reference/global_objects/eval/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/javascript/reference/global_objects/eval/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/javascript/reference/global_objects/eval/index.md
Outdated
Show resolved
Hide resolved
|
|
||
| - `arg1`, …, `argN` {{optional_inline}} | ||
| - : Names to be used by the function as formal argument names. Each must be a string that corresponds to a valid JavaScript parameter (any of plain [identifier](/en-US/docs/Glossary/Identifier), [rest parameter](/en-US/docs/Web/JavaScript/Reference/Functions/rest_parameters), or [destructured](/en-US/docs/Web/JavaScript/Reference/Operators/Destructuring) parameter, optionally with a [default](/en-US/docs/Web/JavaScript/Reference/Functions/Default_parameters)), or a list of such strings separated with commas. | ||
| - : {{domxref("TrustedScript")}} instances or strings specifying names to be used by the function as formal argument names. |
There was a problem hiding this comment.
It feels weird that this is part of JavaScript, but has this dependency on a web API. I don't know enough about the JS docs to know if this is a problem.
There was a problem hiding this comment.
@Josh-Cena This is a JavaScript native method that on a supporting browser might take a TrustedScript instance instead of a string.
I am fine with this - in environments where TrustedScript is not supported IMO this essentially falls back to just being the string.
However, if you have a specific way you'd like to address this in the Function and eval(), speak now, or forever hold your peace :-)
There was a problem hiding this comment.
There was a problem hiding this comment.
I'll merge if no response before I wander off today. We can always tidy up later.
files/en-us/web/javascript/reference/global_objects/function/function/index.md
Show resolved
Hide resolved
files/en-us/web/javascript/reference/global_objects/function/function/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/javascript/reference/global_objects/function/function/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/javascript/reference/global_objects/function/function/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/javascript/reference/global_objects/function/function/index.md
Outdated
Show resolved
Hide resolved
Co-authored-by: wbamberg <[email protected]>
Clarify the risks of using direct eval() in JavaScript, emphasizing security concerns and performance issues.
|
Are you going to update |
|
Thanks for the review @wbamberg - I've accepted all comments, and rolled them into Function() doc too. I am happy for this to go in - so if Josh doesn't comment on https://github.com/mdn/content/pull/42462/files#r2666072963 can you merge please. |
wbamberg
left a comment
wbamberg
left a comment
There was a problem hiding this comment.
Thank you Hamish. I'm approving but will give Josh time to respond as well.
Good catch. Will have to be a different PR. Yes this is an oversight. Not specifically mine though - I've been tracking BCD and this isn't there. It is implemented in Firefox and Chrome though (tested). |
* 'main' of https://github.com/Anurella/content: (7201 commits) Update InterfaceData based on WebRef (mdn#42718) fix typo in `PeroformanceResourceTiming.requestStart` (mdn#42724) fix: auto-cleanup by bot (mdn#42717) fix typo in RTCTransportStats (mdn#42704) Fix typo in queuingStrategy variable name (mdn#42706) Update guidance on <hr> styling (mdn#42708) Fx147: Add relnote for iterator sequencing support (mdn#42713) Fix order of arguments in SpeechRecognitionPhrase ctor (mdn#42711) Update warnings about event handler attributes (mdn#42347) chore(deps-dev): bump fs-extra from 11.3.2 to 11.3.3 (mdn#42468) ci(deps): bump actions/download-artifact from 6.0.0 to 7.0.0 (mdn#42404) ci(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 (mdn#42402) ci(deps): bump peter-evans/create-pull-request from 7.0.11 to 8.0.0 (mdn#42403) Explain value repetition when fewer background values are specified (mdn#42627) Add description to background shorthand property (mdn#42695) chore(deps): bump @mdn/fred from 1.9.7 to 2.0.0 (mdn#42702) chore(deps): bump qs from 6.14.0 to 6.14.1 (mdn#42598) Bump node-html-parser from 7.0.1 to 7.0.2 (mdn#42659) update documentation to note that Firefox for Android requires CT (mdn#42672) TrustedTypes: Function() constructor + eval() (mdn#42462) ...
3 participants
The
Function()constructor can execute its arguments as JavaScript.Similarly
eval()executes its input as JavaScript.This updates the TrustedType information for both methods.
Note, I provided an example for
eval()but notFunction. I wasn't sure if I should do either, because even though this is notionally safer than not using trusted types, there is really no direction on how you can practically and generically transform a script so that it is safe.For the
eval()case I just indicated the use of custom transforming function, for which I provided no implementation. For Function, I added a disclaimer and linked to the eval() example.Related docs work tracked in #41507