trusted-types
trusted-types copied to clipboard
w3c
A browser API to prevent DOM-Based Cross Site Scripting in modern web applications.
The slot value is now set before the IDL attribute setter is called. That will make the 'prepare the script element' HTML algorithm receive the new value, since that algorithm...
That way people can discover the repository from https://www.npmjs.com/package/trusted-types. See [`package.json` `repository` field documentation](https://docs.npmjs.com/cli/v8/configuring-npm/package-json#repository)
After publishing the [XHR vector](https://github.com/shhnjk/cursed_types#xhr-document-response), there was [feedback](https://twitter.com/craigfrancis/status/1493584577457278976) asking to enforce Trusted Types on XHR document response. Is it possible to change [XMLHttpRequest](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest) (i.e. XHR) to the following? 1. Change...
Related to #357 as cross-window navigations can be triggered from `svg:use`-loaded documents. TT protect the navigation to `javascript:` a bit differently than `script-src`. - `require-trusted-types-for` directive only uses [pre-navigation check](https://w3c.github.io/webappsec-trusted-types/dist/spec/#require-trusted-types-for-pre-navigation-check)...
We should enforce Trusted Types on `` tag's `href` attribute. Found by @masatokinugawa. https://twitter.com/kinugawamasato/status/1493576076726988802 ``` let attackerControlledString = 'data:image/svg+xml;base64,PHN2ZyBpZD0neCcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJyB4bWxuczp4bGluaz0naHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluayc+CjxpbWFnZSBocmVmPSJ4IiBvbmVycm9yPSJhbGVydChvcmlnaW4pIiAvPgo8L3N2Zz4=#x'; const svg=document.createElementNS('http://www.w3.org/2000/svg','svg'); const use=document.createElementNS('http://www.w3.org/2000/svg','use'); use.setAttributeNS('http://www.w3.org/1999/xlink','href',attackerControlledString); svg.appendChild(use); document.body.appendChild(svg); ```
Currently, there is no Trusted Types enforcement on `` in XSL document. Found by [Alex](https://twitter.com/insertScript) https://twitter.com/kinugawamasato/status/1493641462776360961 ``` let attackerControlledString = ""; const doc = document.implementation.createHTMLDocument(); const xslt = document.createElementNS("http://www.w3.org/1999/XSL/Transform","xsl:stylesheet"); xslt.setAttribute("xmlns:xsl","http://www.w3.org/1999/XSL/Transform"); ...
Currently, there is no Trusted Types enforcement on `document.createProcessingInstruction`. Found by @masatokinugawa. https://twitter.com/kinugawamasato/status/1493571837019648003 ``` let attackerControlledString = 'data:text/xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHhzbDpzdHlsZXNoZWV0IHhtbG5zOnhzbD0iaHR0cDovL3d3dy53My5vcmcvMTk5OS9YU0wvVHJhbnNmb3JtIiB2ZXJzaW9uPSIxLjAiPgogIDx4c2w6b3V0cHV0IG1ldGhvZD0iaHRtbCIgIC8+CiAgPHhzbDp0ZW1wbGF0ZSBtYXRjaD0iLyI+CjxzY3JpcHQ+YWxlcnQoZG9jdW1lbnQuZG9tYWluKTwvc2NyaXB0PgogIDwveHNsOnRlbXBsYXRlPgo8L3hzbDpzdHlsZXNoZWV0Pg=='; const pi=document.createProcessingInstruction("xml-stylesheet",`href='${attackerControlledString}' type='text/xml'`); document.insertBefore(pi, document.firstChild); ```
Given the state of the spec, the test suite, and the shipping implementation in Chromium-based browsers, it seems reasonable to publish the document as an FPWD. This issue will serve...
Pointed out by @mozfreddyb in https://twitter.com/freddyb/status/1412734759906783236. `el.innerHTML = ''` is a very common sink in web applications migrated to Trusted Types (https://docs.google.com/document/d/1m91JZWKAGOR3jQoicMVE9Ydcq79gM2BetcRIBemrex8/view#heading=h.9yr1d07740qg). Though it is possible to rewrite such code,...
Scripts created by the parser don't have their slot values filled, which formally would cause the default policy invocation in [prepare script url and text](https://w3c.github.io/webappsec-trusted-types/dist/spec/#prepare-script-url-and-text) - and might cause the...