trusted-types
trusted-types copied to clipboard
w3c
A browser API to prevent DOM-Based Cross Site Scripting in modern web applications.
Current implementation of Chrome requires input argument in createHTML and etc required. However, there are cases where argument isn't required (e.g. just returning static HTML string to be used for...
Many modern frameworks use [`data-`](https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes) attributes for a number of purposes, up to and including script execution (see [Script Gadgets](https://github.com/google/security-research-pocs/tree/master/script-gadgets) for some examples). While the browser understands the purpose of...
As Flash and PNaCl went away, I don't see other way of embedding plugins which would cause DOM-XSS or equivalent. While I do see Adobe PDF as another threat, I'm...
Essentially, we'd like: 1. `eval(TrustedScript)`, `new Function(TrustedScript)`, and `new Function(TrustedScript, TrustedScript)` to work 1. Their string equivalents to go through the [default policy](https://wicg.github.io/trusted-types/dist/spec/#default-policy-hdr) `createScript` function (a.k.a. if TT are enforced,...
Explain especially the limitations (also security limitation) of the polyfill.
This test fails (and alert is triggered): ```js fit('insertAdjacentText not working properly', () => { const enforcer = new TrustedTypesEnforcer(ENFORCING_CONFIG); enforcer.install(); const s = document.createElement('script'); const p = document.createElement('p'); s.appendChild(p);...
One common pattern that frontend frameworks share is the way they solve a bug in IE, where there is no `innerHTML` of `svg` elements. Frameworks usually solve this in a...
Something like `window.trustedtypes.isEnabled(): bool`. This would be useful in a number of scenarios: * Frameworks that support strict contextual escaping and have their own notion of types (e.g. Angular, or...
Right now it's posisble to load scripts by specifying a string (either by passing a module identifier, or a URL), e.g. via - static import (ES modules) - dynamic `import()`...
Pulling out from #222 and #235: If policy name or rules would only be inspected, but not modified by the JS meta policy callback, and (apart from arbitrary side effects)...