Update HostEnsureCanCompileStrings definition

Update the HostEnsureCanCompileStrings definition to match dynamic code brand checks stage 3 proposal.

Also update the call to EnsureCSPDoesNotBlockStringCompilation to pass these new arguments through.

Also update the timer initialization steps to call EnsureCSPDoesNotBlockStringCompilation directly, and include the new parameters.

Also define HostGetCodeForEval implementation.

See w3c/webappsec-csp#650 for corresponding CSP PR.

Also see whatwg#10202 for context.

Author: lukewarlow

source

@@ -3009,7 +3009,6 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      <li>The <dfn data-x="js-HostEnqueuePromiseJob" data-x-href="https://tc39.es/ecma262/#sec-hostenqueuepromisejob">HostEnqueuePromiseJob</dfn> abstract operation</li>
      <li>The <dfn data-x="js-HostEnqueueTimeoutJob" data-x-href="https://tc39.es/ecma262/#sec-hostenqueuetimeoutjob">HostEnqueueTimeoutJob</dfn> abstract operation</li>
      <li>The <dfn data-x="js-HostEnsureCanAddPrivateElement" data-x-href="https://tc39.es/ecma262/#sec-hostensurecanaddprivateelement">HostEnsureCanAddPrivateElement</dfn> abstract operation</li>
-     <li>The <dfn data-x="js-HostEnsureCanCompileStrings" data-x-href="https://tc39.es/ecma262/#sec-hostensurecancompilestrings">HostEnsureCanCompileStrings</dfn> abstract operation</li>
      <li>The <dfn data-x="js-HostLoadImportedModule" data-x-href="https://tc39.es/proposal-import-attributes/#sec-HostLoadImportedModule">HostLoadImportedModule</dfn> abstract operation</li>
      <li>The <dfn data-x="js-HostMakeJobCallback" data-x-href="https://tc39.es/ecma262/#sec-hostmakejobcallback">HostMakeJobCallback</dfn> abstract operation</li>
      <li>The <dfn data-x="js-HostPromiseRejectionTracker" data-x-href="https://tc39.es/ecma262/#sec-host-promise-rejection-tracker">HostPromiseRejectionTracker</dfn> abstract operation</li>
@@ -3072,6 +3071,15 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      <li><dfn data-x-href="https://tc39.es/ecma262/#table-49">The <var>TypedArray</var> Constructors</dfn> table</li>
     </ul>
 
+    <p>Users agents that support JavaScript must also implement the <cite>Dynamic Code Brand
+    Checks</cite> proposal. The following terms are defined there, and used in this specification:
+    <ref>JSDYNAMICCODEBRANDCHECKS</ref></p>
+
+    <ul class="brief">
+     <li>The <dfn data-x="js-HostEnsureCanCompileStrings" data-x-href="https://tc39.es/proposal-dynamic-code-brand-checks/#sec-hostensurecancompilestrings">HostEnsureCanCompileStrings</dfn> abstract operation</li>
+     <li>The <dfn data-x="js-HostGetCodeForEval" data-x-href="https://tc39.es/proposal-dynamic-code-brand-checks/#sec-hostgetcodeforeval">HostGetCodeForEval</dfn> abstract operation</li>
+    </ul>
+
     <p>Users agents that support JavaScript must also implement <cite>ECMAScript
     Internationalization API</cite>. <ref>JSINTL</ref></p>
 
@@ -4613,6 +4621,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      <li><dfn data-x="tt-trustedhtml" data-x-href="https://w3c.github.io/trusted-types/dist/spec/#trustedhtml"><code>TrustedHTML</code></dfn></li>
      <li><dfn data-x="tt-trustedhtml-data" data-x-href="https://w3c.github.io/trusted-types/dist/spec/#trustedhtml-data">data</dfn></li>
      <li><dfn data-x="tt-trustedscript" data-x-href="https://w3c.github.io/trusted-types/dist/spec/#trusted-script"><code>TrustedScript</code></dfn></li>
+     <li><dfn data-x="tt-trustedscript-data" data-x-href="https://w3c.github.io/trusted-types/dist/spec/#trustedscript-data"><code>data</code></dfn></li>
      <li><dfn data-x="tt-trustedscripturl" data-x-href="https://w3c.github.io/trusted-types/dist/spec/#trustedscripturl"><code>TrustedScriptURL</code></dfn></li>
      <li><dfn data-x="tt-getcompliantstring" data-x-href="https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm">Get Trusted Type compliant string</dfn></li>
     </ul>
@@ -108912,18 +108921,39 @@ dictionary <dfn dictionary>PromiseRejectionEventInit</dfn> : <span>EventInit</sp
   security &mdash; that make implementation of private field semantics challenging, so our
   implementation simply rejects those objects.</p>
 
-  <h5><dfn data-x="the-hostensurecancompilestrings-implementation">HostEnsureCanCompileStrings</dfn>(<var>realm</var>)</h5>
+  <h5><dfn
+  data-x="the-hostensurecancompilestrings-implementation">HostEnsureCanCompileStrings</dfn>(<var>realm</var>,
+  <var>parameterStrings</var>, <var>bodyString</var>, <var>codeString</var>, <var>compilationType</var>,
+  <var>parameterArgs</var>, <var>bodyArg</var>)</h5>
 
   <p>JavaScript contains an <span>implementation-defined</span> <span
-  data-x="js-HostEnsureCanCompileStrings">HostEnsureCanCompileStrings</span>(<var>realm</var>)
-  abstract operation. User agents must use the following implementation: <ref>JAVASCRIPT</ref>
+  data-x="js-HostEnsureCanCompileStrings">HostEnsureCanCompileStrings</span> abstract operation,
+  redefined by the <cite>Dynamic Code Brand Checks</cite> proposal. User agents must use
+  the following implementation: <ref>JAVASCRIPT</ref> <ref>JSDYNAMICCODEBRANDCHECKS</ref>
 
   <ol>
    <li><p>Perform ? <span
-   data-x="csp-EnsureCSPDoesNotBlockStringCompilation">EnsureCSPDoesNotBlockStringCompilation</span>(<var>realm</var>).
+   data-x="csp-EnsureCSPDoesNotBlockStringCompilation">EnsureCSPDoesNotBlockStringCompilation</span>(<var>realm</var>,
+   <var>parameterStrings</var>, <var>bodyString</var>, <var>codeString</var>,
+   <var>compilationType</var>, <var>parameterArgs</var>, <var>bodyArg</var>).
    <ref>CSP</ref></p></li>
   </ol>
 
+  <h5><dfn
+  data-x="the-hostgetcodeforeval-implementation">HostGetCodeForEval</dfn>(<var>argument</var>)</h5>
+
+  <p>The <cite>Dynamic Code Brand Checks</cite> proposal contains an
+  <span>implementation-defined</span> <span
+  data-x="js-HostGetCodeForEval">HostGetCodeForEval</span>(<var>argument</var>) abstract operation.
+  User agents must use the following implementation: <ref>JSDYNAMICCODEBRANDCHECKS</ref>
+
+  <ol>
+   <li><p>If <var>argument</var> is a <code data-x="tt-trustedscript">TrustedScript</code> object,
+   then return <var>argument</var>'s <span data-x="tt-trustedscript-data">data</span>.</p></li>
+
+   <li><p>Otherwise, return no-code.</p></li>
+  </ol>
+
   <h5 id="the-hostpromiserejectiontracker-implementation"><dfn>HostPromiseRejectionTracker</dfn>(<var>promise</var>, <var>operation</var>)</h5>
 
   <p>JavaScript contains an <span>implementation-defined</span> <span
@@ -113588,9 +113618,10 @@ enum <dfn enum>DOMParserSupportedType</dfn> {
        <li><p><span>Assert</span>: <var>handler</var> is a string.</p></li>
 
        <li><p>Perform <span
-       data-x="the-hostensurecancompilestrings-implementation">HostEnsureCanCompileStrings</span>(<var>realm</var>).
-       If this throws an exception, catch it, <span>report the exception</span>, and abort these
-       steps.</p></li>
+       data-x="csp-EnsureCSPDoesNotBlockStringCompilation">EnsureCSPDoesNotBlockStringCompilation</span>(<var>realm</var>,
+       « », <var>handler</var>, <var>handler</var>, timer, « », <var>handler</var>). If this throws
+       an exception, catch it, <span>report the exception</span>, and abort these steps.</p></li>
+       <!-- timer is an enum value. -->
 
        <li><p>Let <var>settings object</var> be <var>global</var>'s <span>relevant settings
        object</span>.</p></li>
@@ -143192,6 +143223,9 @@ INSERT INTERFACES HERE
    <dt id="refsJSERRORSTACKS">[JSERRORSTACKS]</dt>
    <dd>(Non-normative) <cite><a href="https://tc39.es/proposal-error-stacks/">Error Stacks</a></cite>. Ecma International.</dd>
 
+   <dt id="refsJSDYNAMICCODEBRANDCHECKS">[JSDYNAMICCODEBRANDCHECKS]</dt>
+   <dd><cite><a href="https://tc39.es/proposal-dynamic-code-brand-checks/">Dynamic code brand checks</a></cite>. Ecma International.</dd>
+
    <dt id="refsJSIMPORTATTRIBUTES">[JSIMPORTATTRIBUTES]</dt>
    <dd><cite><a href="https://tc39.es/proposal-import-attributes/">Import attributes</a></cite>. Ecma International.</dd>