Krzysztof Kotowicz

icon indicating a website link http://blog.kotowicz.net

Results 232 comments of Krzysztof Kotowicz

Maybe remove plugin enforcement from Trusted Types?

Fair point. Do I get it right, @annevk that you'd rather object and embed were removed altogether from TT enforcement? Nowadays, for web, they are closer to iframe, which we...

Maybe remove plugin enforcement from Trusted Types?

+1, we should remove these.

Can we conditionally enforce Trusted Types based on document response type in XHR?

Both these vectors require fetching new (same-origin, local scheme) documents and inserting nodes from there. I suspect they would be less probable to legitimately ([authors are not malicious](https://w3c.github.io/trusted-types/dist/spec/#non-goals) in TT...

Can we conditionally enforce Trusted Types based on document response type in XHR?

> Aren't we also considering blocking XSLT? That's also cross-document, no? We should at least be consistent. Vectors from https://github.com/w3c/trusted-types/issues/359 would also be subject to CSP (it's `unsafe-inline`, essentially), so...

Finalize the integrations that guard eval & Function.constructor

The CSP integration would need dynamic-code-brand-checks proposal in ES - that got blocked from advancing to Stage 2 in TC39 ([relevant discussion](https://github.com/tc39/notes/blob/main/meetings/2021-01/jan-26.md#dynamic-host-brand-checks-for-stage-2)), so it's unlikely this would be specified in...

Finalize the integrations that guard eval & Function.constructor

Based on https://github.com/tc39/ecma262/pull/3222#issuecomment-1832845892, the intention changed during the plenary and the host only has access to the stringified value. The meeting notes are not public yet, but I guess the...

Finalize the integrations that guard eval & Function.constructor

Thanks for context. Do you know what caused the change during the plenary? What were there concerns to give host the unstringified value?

Finalize the integrations that guard eval & Function.constructor

Similarly, i.e. every argument to `Function` constructor is a TrustedScript (created from a policy, or from `fromLiteral`), or a string. Proposed [dynamic-code-brand-checks](https://tc39.es/proposal-dynamic-code-brand-checks/) in ES assemble the function body, stringifying all...

Finalize the integrations that guard eval & Function.constructor

Correct, but it can still execute arbitrary JS, and the type to express that capability is `TrustedScript`. ``` let p = trustedTypes.createPolicy("p", { createScript: (t) => t }); let ts0...

Finalize the integrations that guard eval & Function.constructor

Fair point, i was using the term arbitrary in a colloquial sense, from a security perspective. Function argument declarations can define and/or call other functions, which is XSS-equivalent in Trusted...