secure_headers icon indicating copy to clipboard operation
secure_headers copied to clipboard

Published 20 hours ago verified publisher icon github

Add require-trusted-types-for to CSP

Open dorianmariecom opened this issue 3 years ago • 1 comments

From https://csp-evaluator.withgoogle.com :

Consider requiring Trusted Types for scripts to lock down DOM XSS injection sinks. You can do this by adding "require-trusted-types-for 'script'" to your policy.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for

Example:

Content-Security-Policy: require-trusted-types-for 'script';

Feature Requests

Adding a new CSP directive

  • Is the directive supported by any user agent? If so, which?
Screenshot 2021-12-10 at 08 06 37
  • What does it do?

When used, those functions only accept non-spoofable, typed values created by Trusted Type policies, and reject strings. Together with trusted-types directive, which guards creation of Trusted Type policies, this allows authors to define rules guarding writing values to the DOM and thus reducing the DOM XSS attack surface to small, isolated parts of the web application codebase, facilitating their monitoring and code review.

  • What are the valid values for the directive?

https://w3c.github.io/webappsec-trusted-types/dist/spec/#require-trusted-types-for-csp-directive

Seems like there is only 'script' as a valid value, not sure

dorianmariecom avatar Dec 10 '21 07:12 dorianmariecom

@dorianmariefr: require-trusted-types-for is implemented in v6.4.0. Does this meet your needs?

lgarron avatar Aug 10 '22 19:08 lgarron

@lgarron I don't maintain an application that uses secure_headers anymore

dorianmariecom avatar Aug 11 '22 06:08 dorianmariecom

Alright, thanks! I'll mark this as closed, and we can use new issues if there is something to change about the implementation.

lgarron avatar Aug 11 '22 06:08 lgarron