trusted-types
trusted-types copied to clipboard
Figure out if there is a better way to guard navigations to `javascript:` across documents
Related to #357 as cross-window navigations can be triggered from svg:use
-loaded documents.
TT protect the navigation to javascript:
a bit differently than script-src
.
-
require-trusted-types-for
directive only uses pre-navigation check -
script-src
directive uses inline check
As a consequence, require-trusted-types-for
will not stop a <a target=somewindow href=javascript:foo>
if a target window does not have the require-trusted-types-for
(poc). script-src will stop such navigation (poc). That was described in https://microsoftedge.github.io/edgevr/posts/eliminating-xss-with-trusted-types/#cross-document-vectors.
It's not yet clear to me why is the navigation under script-src
blocked, but it would be nice to be able to align with this, if possible.