trusted-types Figure out if there is a better way to guard navigations to `javascript:` across documents

Figure out if there is a better way to guard navigations to `javascript:` across documents

Open koto opened this issue 2 years ago • 0 comments

Related to #357 as cross-window navigations can be triggered from svg:use-loaded documents.

TT protect the navigation to javascript: a bit differently than script-src.

require-trusted-types-for directive only uses pre-navigation check
script-src directive uses inline check

As a consequence, require-trusted-types-for will not stop a <a target=somewindow href=javascript:foo> if a target window does not have the require-trusted-types-for (poc). script-src will stop such navigation (poc). That was described in https://microsoftedge.github.io/edgevr/posts/eliminating-xss-with-trusted-types/#cross-document-vectors.

It's not yet clear to me why is the navigation under script-src blocked, but it would be nice to be able to align with this, if possible.

Mar 29 '22 16:03 koto

trusted-types trusted-types copied to clipboard

Figure out if there is a better way to guard navigations to `javascript:` across documents

trusted-types
trusted-types copied to clipboard