Skip to content

TrustedTypes: Function() constructor + eval() #42462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
hamishwillee wants to merge 3 commits into
base: main
Choose a base branch
from
Open

TrustedTypes: Function() constructor + eval() #42462

hamishwillee wants to merge 3 commits into from
+154 −9

Conversation

@hamishwillee
Copy link
Collaborator

@hamishwillee hamishwillee commented Dec 19, 2025
edited
Loading

The Function() constructor can execute its arguments as JavaScript.
Similarly eval() executes its input as JavaScript.

This updates the TrustedType information for both methods.

Note, I provided an example for eval() but not Function. I wasn't sure if I should do either, because even though this is notionally safer than not using trusted types, there is really no direction on how you can practically and generically transform a script so that it is safe.

For the eval() case I just indicated the use of custom transforming function, for which I provided no implementation. For Function, I added a disclaimer and linked to the eval() example.

Related docs work tracked in #41507

@hamishwillee hamishwillee requested a review from a team as a code owner December 19, 2025 05:57
@hamishwillee hamishwillee requested review from Josh-Cena and wbamberg and removed request for a team December 19, 2025 05:57
@github-actions github-actions bot added Content:JS JavaScript docs size/m [PR only] 51-500 LoC changed labels Dec 19, 2025
@hamishwillee hamishwillee mentioned this pull request Dec 19, 2025
Open
8 tasks
@github-actions
Copy link
Contributor

github-actions bot commented Dec 19, 2025
edited
Loading

Preview URLs

(comment last updated: 2025-12-22 04:50:31)

@hamishwillee hamishwillee changed the title TrustedTypes: Function() constructor TrustedTypes: Function() constructor + eval() Dec 22, 2025
@hamishwillee hamishwillee mentioned this pull request Dec 22, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Josh-Cena Josh-Cena Awaiting requested review from Josh-Cena Josh-Cena is a code owner automatically assigned from mdn/javascript

@wbamberg wbamberg Awaiting requested review from wbamberg

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Content:JS JavaScript docs size/m [PR only] 51-500 LoC changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hamishwillee