Add security warning for ambiguous source maps #137
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This is how that section looks like now:
|
littledan
approved these changes
Oct 10, 2024
jkup
approved these changes
Oct 10, 2024
nicolo-ribaudo
changed the title
github-actions bot
added a commit
that referenced
this pull request
Oct 10, 2024
SHA: 7c40f8c Reason: push, by nicolo-ribaudo Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
nicolo-ribaudo
added a commit
that referenced
this pull request
Oct 10, 2024
github-actions bot
added a commit
that referenced
this pull request
Oct 10, 2024
SHA: 0142f27 Reason: push, by nicolo-ribaudo Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
It was pointed out during the October 2024 plenary that being able to cause a tool to perform a network request can be used for tracking purposes, and thus it should be possible to statically know whether a file links to a source map or not.
The problem is that, given that we have multiple linking methods that give different results, it's not unlikely that ambiguous source map comments can skip through reviews and checks.
There was a solution that we collectively came up with, but we did not want to change the specification at this point given that we need to discuss it in TG4 and go through the implications of it.
Approval on publishing the first edition of our spec was conditional of explicitly calling out (in a note / not normative section) the implications of the ambiguity, and how a potential solution would look like. Our specification already points to the living draft, and thus it's ok if we just work on the actual fix in the living draft.
The proposed fix is very likely to affect no actual usages of source maps, but we need to check in TG4 if it needs to be tweaked. I'll open an issue to better discuss it.
Examples of ambiguous comments:
This PR needs to be merged today, because we need to start the 60 days period and this is a requirement for it. The pull request does not contain any normative changes, and is entirely an editorial decision.