[koto1sa]

Disclaimer: I'm working on the Trusted Types project in Google.

To clarify, Trusted Types are not a replacement for XSS auditor. They are both related to XSS, but are fundamentally different and even target different flavors of XSS.

Trusted Types are an opt-in browser API that helps developers prevent DOM-based (~client-side) XSS by mandating that developer-specified rules are applied to data that reaches risky functions (like eval or innerHTML). We're working on having it available as a proper W3C spec. More info at https://bit.ly/trusted-types or https://youtu.be/1KQngEZ8qH4

XSS auditor was an opt-out Chrome only feature that tried to stop reflected (~server-side) XSS payloads from executing after the injection has already happened. It was an now outdated concept. The idea was nice - prevent XSS without changing a bit of code in your application, but now we know this just doesn't work for xss.

[lol768]

> Trusted Types are an opt-in browser API that helps developers prevent DOM-based (~client-side) XSS by mandating that developer-specified rules are applied to data that reaches risky functions (like eval or innerHTML). We're working on having it available as a proper W3C spec. More info at https://bit.ly/trusted-types or https://youtu.be/1KQngEZ8qH4*

Can you expand a little on what Trusted Types gives you if you already have a strict CSP which prevents unsafe-eval/ unsafe-inline and e.g. has a 'self' base-uri set?

I'm assuming it would prevent you injecting other HTML if a DOM-based vulnerability existed.

[koto1sa]

Trusted Types aim to prevent the injection, XSS-y CSP directives (script-src etc) act as an XSS exploit mitigation that fires after the injection is already there. So, for example, even if the JS execution is stopped, the attacker may still exfiltrate the data via form tags etc.

CSP was traditionally deployed by security folks only and is a bit disconnected from the regular dev workflow. For example, if your application does not conform to CSP (i.e. you have an XSS), you can know that only when you deploy it, and the violations keep coming.

TT are part of your JS program, and are much closer to how developers prevent other bugs in their programs. For example, since the API uses types, you can even set up your build for the application not to compile if innerHTML is used with a string.

Additionally, TT allow the application to be a bit more precise - e.g. maybe you can't refactor the application not to use eval() ever (this is surprisingly common), but would rather make sure that this one eval() instance is secure, and disallow all others. TT solve that elegantly. Your reviewed eval starts using eval(TrustedScript), and all other evals - should they exist - are blocked.

In our experience rolling out CSP, its nonced version (w/ no script-dynamic, no unsafe-*) works well for server-side injections, whereas TT cover the client-side better.

https://github.com/WICG/trusted-types/wiki/FAQ#do-i-need-tru...

[lol768]

Thanks for a very comprehensive answer!

[snek]

We have APIs to put content in DOM elements without it being interpreted as html, and we have APIs to build DOM elements without using strings. Given that trusted types don't actually prevent xss from occuring and only make your data flow more explicit, why not just recommend to developers that they use the other APIs, instead of adding this new one?

[koto1sa]

I don't think you can build applications without using the dangerous sinks at all yet. Some common scenarios we know are common:

window.open href Setting text on a script element Setting src of a script element form.action innerHTML

Applications do use these sinks quite often, and some of them cannot be just get ridden of (e.g. href or script.src). Even removing eval takes ages. Complex applications parse HTML from the users, load scripts dynamically, and such.

That said - TT allow you to have such enforcement too - just set a "Content-Security-Policy: trusted-types;" header and all dangerous sinks can never be called. We call it Perfect Types, but it's not yet practical to build client side applications in that setting.

[snek]

Your response makes it sound like this is intended more for cases where a site uses innerHTML and its too much of a burden to rewrite, so you allow only that innerHTML, but that allowed innerHTML is still susceptible to XSS, so what is the point?

As a side note, having a header to disallow innerHTML and etc is definitely a good step, but the rest of this seems superfluous or even leading to a false sense of security.