Add security warning for ambiguous source maps (#137)

tc39 · Oct 10, 2024 · 0142f27 · 0142f27
1 parent 6ff3410
commit 0142f27
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/source-map.bs b/source-map.bs
@@ -777,6 +777,19 @@ without parsing|without parsing=] gives `foo.js.map`.
 
 </div>
 
+<div class="issue">
+Having multiple ways to extract a source map URL, that can lead to different
+results, can have negative security and privacy implications. Implementations
+that need to detect which source maps are potentially going to be loaded are
+strongly encouraged to always apply both algorithms, rather than just assuming
+that they will give the same result.
+
+A fix to this problem is being worked on, and will likely involve early returning
+from the below algorithms whenever there is a comment (or comment-like) that
+contains the characters U+0060 (&#x60;), U+0022 ("), or U+0027 ('), or the the
+sequence U+002A U+002F (*/).
+</div>
+
 #### Extraction methods for JavaScript sources #### {#extraction-javascript}
 
 To <dfn export>extract a Source Map URL from JavaScript through parsing</dfn> a [=string=] |source|,