Scarab Diagnostic Field Test #029 — Electron CSP / Isolated Preload Boundary

Field test status: diagnostic pass completed; upstream direction pending. This one is different from the merged patch reports. The Electron case produced a narrow draft repair and a focused regression test, but it did not land as-is. Maintainer review raised a security-boundary concern, and the repair lane was paused pending clarification of Electron’s intended behavior. That makes it a useful field test anyway. Sometimes a diagnostic field test proves the patch. Sometimes it proves the boundary question. This one did the second thing. Target Repository: electron/electron Issue: #48240 Draft PR: #51991 Issue title: [24.1.0 regression] Unsandboxed preload is restricted by Content-Security-Policy, but only after readyState becomes interactive Public PR title: fix: don't apply page csp to isolated preload codegen The reported failure The issue reported inconsistent behavior in Electron preload execution. In an unsandboxed preload script with contextIsolation: true, string code generation such as new Function(...) could be allowed early in preload execution, but later become blocked after the document moved into the interactive phase. That matters because some libraries detect code-generation support once, cache the answer, and then rely on that answer later. So the failure was not simply “CSP blocks eval.” The failure was temporal inconsistency. The same preload context appeared to answer the code-generation question one way at the beginning of execution and another way after document parsing progressed. That is a drift-shaped failure. A truth changed mid-context. Why this is a boundary problem Electron sits between several worlds at once: Chromium page behavior. Electron preload behavior. Node-enabled application behavior. Content Security Policy. Context isolation. Application security expectations. That makes the boundary important. The diagnostic question was not only: “Should code generation be allowed?” The better question was: “Which policy owns code generation inside an isolated preload world, and should that answer change after document parsing begins?” That is the boundary. The page has a Content-Security-Policy. The preload script runs in an Electron-managed isolated world. The app may rely on preload behavior. The security model may rely on the page CSP applying transitively. If those ownership lines are unclear, the runtime can become inconsistent. That is exactly what the issue exposed. The first repair lane The draft repair tested one interpretation of the boundary: If the preload script runs in Electron’s isolated world, then page CSP should not make preload string code generation change after document parsing begins. The patch added a check for Electron’s isolated world and routed that case around the page CSP code-generation callback, while keeping page CSP enforcement for main-world renderer code. It also added a regression test for an unsandboxed, context-isolated preload under a restrictive page CSP. The test verified that string code generation stayed consistently allowed both before and after DOMContentLoaded. That was a narrow patch. Two files changed: shell/common/node_bindings.cc spec/chromium-spec.ts The focused regression test passed locally. Maintainer review changed the repair lane Electron maintainer review raised the key concern: If apps are already relying on the page CSP as a transitive guard against eval-like behavior in isolated preload code, then bypassing page CSP for isolated preload code generation may weaken the security posture. That is the important moment in this field test. The diagnostic pass found a real inconsistency. The first repair lane made the behavior consistent in one direction. Maintainer review clarified that consistency in that direction may not match the intended security boundary. So the responsible next step is not to force the patch. The responsible next step is to pause and ask which boundary Electron intends: Should page CSP block preload eval-like code generation co