trusted-types
trusted-types copied to clipboard
w3c
Maybe remove plugin enforcement from Trusted Types?
As Flash and PNaCl went away, I don't see other way of embedding plugins which would cause DOM-XSS or equivalent. While I do see Adobe PDF as another threat, I'm not sure modern browser which supports Trusted Types would allow loading such a plugins. See also https://github.com/w3c/webappsec-csp/pull/456
Sounds like it's the time to do it, yes. See also #234.
// cc @mikewest - Are plugins really, really going away?
Flash is certainly gone. PDF isn't (and I think extensions still support NaCL modules? And possibly something something enterprise policy?). We're in the process of removing plugin-types from CSP, but I don't think there's good reason to remove object-src yet, given that <embed> and <object> can certainly still cause code execution.
I think extensions still support NaCL modules?
Extensions are not an issue. Content scripts can bypass the Trusted Types anyways.
given that
<embed>and<object>can certainly still cause code execution.
Causing JS execution isn't an issue, as long as it can't cause a JS execution in the context of the embedder (i.e. parent frame).
I think Mike was talking about extensions that want to use TT to prevent DOM XSS in their own code.
Okay, fair :) TT isn't supported in Extensions yet, and I'm waiting for it :)
Why isn't TT supported in extensions? That sounds strange.
There is at least an additional sink available in extension pages (i.e. chrome.tabs.executeScript) which needs to be guarded by TT (which isn't yet implemented). I'm waiting for that to be implemented (see this bug) :)
Revisiting that; It sounds to me like we should keep the object/embed enforcement for now, as at least we should also make TT a viable solution for the browser extensions. The cost of keeping that is entirely on the IDL layer (https://w3c.github.io/trusted-types/dist/spec/#enforcement-in-sinks) so it's quite small. Whether Chromium implements the TT check in non-web extension API seems unrelated?
Browser extensions are somewhat explicitly out-of-scope of web platform specifications though. So I don't think that conclusion follows.
Fair point. Do I get it right, @annevk that you'd rather object and embed were removed altogether from TT enforcement? Nowadays, for web, they are closer to iframe, which we don't control with TT -- but I want to make sure I'm not misinterpreting.
They are a bit different request-wise, but I'm not sure how much that plays into TT's threat model. I mainly don't want us to make a decision for these elements based on browser extensions.
This came back up on my PR to upstream the IDL changes to HTML. If the threat caused by these sinks no longer exists (flash) then I think it makes sense to remove the TT coverage on them?
