|
|
|
|
|
|
by lol768
2529 days ago
|
|
|
> Trusted Types are an opt-in browser API that helps developers prevent DOM-based (~client-side) XSS by mandating that developer-specified rules are applied to data that reaches risky functions (like eval or innerHTML). We're working on having it available as a proper W3C spec. More info at https://bit.ly/trusted-types or https://youtu.be/1KQngEZ8qH4* Can you expand a little on what Trusted Types gives you if you already have a strict CSP which prevents unsafe-eval/ unsafe-inline and e.g. has a 'self' base-uri set? I'm assuming it would prevent you injecting other HTML if a DOM-based vulnerability existed. |
|
|
CSP was traditionally deployed by security folks only and is a bit disconnected from the regular dev workflow. For example, if your application does not conform to CSP (i.e. you have an XSS), you can know that only when you deploy it, and the violations keep coming.
TT are part of your JS program, and are much closer to how developers prevent other bugs in their programs. For example, since the API uses types, you can even set up your build for the application not to compile if innerHTML is used with a string.
Additionally, TT allow the application to be a bit more precise - e.g. maybe you can't refactor the application not to use eval() ever (this is surprisingly common), but would rather make sure that this one eval() instance is secure, and disallow all others. TT solve that elegantly. Your reviewed eval starts using eval(TrustedScript), and all other evals - should they exist - are blocked.
In our experience rolling out CSP, its nonced version (w/ no script-dynamic, no unsafe-*) works well for server-side injections, whereas TT cover the client-side better.
https://github.com/WICG/trusted-types/wiki/FAQ#do-i-need-tru...