docsify icon indicating copy to clipboard operation
docsify copied to clipboard
verified publisher icon docsifyjs

Ensure that HTML assignments are done through TrustedHTML

Open CxRes opened this issue 3 years ago • 4 comments

Bug Report

When using a content security policy (see policy below), I get an error like this:

docsify.js:8535 This document requires 'TrustedHTML' assignment.
_renderTo @ docsify.js:8535
initRender @ docsify.js:8729
Docsify @ docsify.js:9247
(anonymous) @ docsify.js:9277

docsify.js:8535         
Uncaught TypeError: Failed to set the 'outerHTML' property on 'Element': This document requires 'TrustedHTML' assignment.
    at Docsify._renderTo (docsify.js:8535:53)
    at Docsify.initRender (docsify.js:8729:16)
    at new Docsify (docsify.js:9247:12)
    at HTMLDocument.<anonymous> (docsify.js:9277:39)

If I remove the trused type policy from the header I still get this error:

docsify.js:8535 

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src cdn.jsdelivr.net 'self' ". Either the 'unsafe-inline' keyword, a hash ('sha256-6h52w3SLKvExCLgdk907pJwQu8hZtVM4QMirrrfKGaI='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.

Line 8535 is an assignment to innerHTML/outerHTML adding a SHA to script tag generated by docsify internals is not possibility.

Steps to reproduce

Enable custom response headers on your server. Use the following Content Security Policy:

Content-Security-Policy: prefetch-src 'self'; script-src cdn.jsdelivr.net 'self'; style-src cdn.jsdelivr.net 'self'; img-src data: 'self' static.addtoany.com; font-src data: 'self'; manifest-src 'self'; default-src 'none'; base-uri 'self'; frame-ancestors 'none'; trusted-types dompurify; require-trusted-types-for 'script';

What is current behaviour

Errors as shown above.

What is the expected behaviour

Docsify should work normally irrespective of CSP header.

Other relevant information

The system information is irrelevant here (I have tested this on Cloudflare pages server, server used is probably more pertinent)

  • Your OS:
  • Node.js version: 18.8.0
  • npm/yarn version:
  • Browser version:
  • Docsify version: 4.12.2
  • Docsify plugins:

Please create a reproducible sandbox

I would but I am not sure how to simulate/modify HTTP headers in a sandbox!

CxRes avatar Sep 07 '22 02:09 CxRes

What's the fix that Docsify needs?

trusktr avatar Sep 07 '22 14:09 trusktr

tl;dr Define a Trusted Types policy (where you sanitize incoming html, say, with dom-purify). Ensure all HTML assignments such as Line 8535 in docsify.js 4.12.2 are done through the trusted type function and not directly.

Long version by one of the developers of this technique https://web.dev/trusted-types/

CxRes avatar Sep 07 '22 16:09 CxRes

Trusted Types isn't in Firefox or Safari yet. EDIT: there's a polyfill.

trusktr avatar Sep 07 '22 17:09 trusktr

Even on Firefox, I am seeing CSP violations thrown as errors and Docsify does not load. I am not sure how to get around CSP violations other than defining a Trusted Types policy (except for defining 'unsafe-inline' and thus negating the purpose of a CSP).

Security is not my area of expertise, unfortunately :(.

CxRes avatar Sep 07 '22 17:09 CxRes