Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
fix(core): make development mode Trusted Types compatible #39209
Conversation
| // Use globalThis['eval'] to hide the fact that we're using eval, since | ||
| // otherwise the compiler won't know that this can be tree shaken. |
There was a problem hiding this comment.
Can you expand on this a bit. How does globalThis['eval'] allows tree-shaking?
There was a problem hiding this comment.
I've updated the comment to hopefully explain this a bit better. But to elaborate, eval is a black box from the perspective of the compiler, and prevents it from doing certain kinds of optimizations. When I initially used eval directly the modules that used Trusted Types were not stripped out of the resulting JS binary, even if they were not used at all and would typically be tree shaken out. This caused a lot of size tests to fail. Replacing this with an indirection like global['eval'] tricks the compiler into ignoring that this is an eval, enabling it to use its optimizations and the tests to pass.
bjarkler
force-pushed
the
trusted-types-dev
branch
3 times, most recently
from
7e0c365
to
3aab1c6
Compare
the main (the last two) commits of this PR look good to me - I left just one suggestion to better defend against prod optimizations.
Chrome currently does not support passing TrustedScript to the Function constructor, and instead fails with a Trusted Types violation when called. As the Function constructor is used in a handful of places within Angular, such as in the JIT compiler and named_array_type, the workaround proposed on the following page is implemented: https://github.com/w3c/webappsec-trusted-types/wiki/Trusted-Types-for-function-constructor To be precise, it constructs a string representing an anonymous function in a way that is equivalent to what the Function constructor does, promotes it to a TrustedScript and then calls eval. To facilitate backwards compatibility, new Function is used directly in environments that do not support Trusted Types.
Address a Trusted Types violation that occurs in createNamedArrayType during development mode. Instead of passing strings directly to "new Function", use the Trusted Types compatible function constructor exposed by the Trusted Types policy.
Address a Trusted Types violation that occurs in createNamedArrayType during development mode. Instead of passing strings directly to "new Function", use the Trusted Types compatible function constructor exposed by the Trusted Types policy. PR Close #39209
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
Introduce a Trusted Types policy that is only available in development
mode. It allows arbitrary unsafe conversions to Trusted Types to support
development features.
Address a Trusted Types violation that occurs in createNamedArrayType
during development mode. Instead of passing strings directly to "new
Function", use the Trusted Types compatible function constructor exposed
by the Trusted Types development policy.
Implement a workaround to make "new Function" work with Trusted Types,
as described here:
https://github.com/w3c/webappsec-trusted-types/wiki/Trusted-Types-for-function-constructor
This is based on #39207. See the individual commits for more details.
PR Checklist
Please check if your PR fulfills the following requirements:
PR Type
What kind of change does this PR introduce?
Does this PR introduce a breaking change?
Other information
This is part of an ongoing effort to add support for Trusted Types to Angular.