Bypass CSP for eval/new Function in async code initiated by script evaluation #1024
Description
Overall I think we agreed that script.evaluate and script.callFunction should not be impacted by the content page CSP. Eg if a page sets the following meta tag
<meta http-equiv="Content-Security-Policy" content="default-src 'none'">
you should still be allowed to use eval or new Function in an expression for script.evaluate/callFunction.
This is normally today already supported by Chrome, and we want to enable this for Firefox in https://bugzilla.mozilla.org/show_bug.cgi?id=1941780.
I started writing a wdspec test about this, and even though Chrome handles the synchronous cases fine, as soon as the eval/new Function is delayed via a setTimeout or in an async function, the CSP kicks in and prevents the code from running.
We already started mentioning the promise case internally for the Firefox implementation, because it might be hard to sandbox it to only apply to async code initiated by WebDriver BiDi.
Some examples of expressions which fail on Chrome at the moment:
(async () => {
await new Promise(r => setTimeout(r, 0));
return eval("2 + 1");
})()and
new Promise(r => {
setTimeout(() => {
r(eval('2 + 1'));
}, 0);
})Is it fine/expected to only bypass CSP for synchronous code executed by the script module?
cc @OrKoN @jgraham