[bugmen0t]

The most prevalent type of security vulnerability in all of software is XSS. (If you count CVEs, which is admittedly a bit problematic).

I’m collaborating on an attempt to shift the responsibility for XSS from the developers and towards the browser. The current stage focuses on getting the use case "insert HTML but without any scripts" right.

There’s a public specification and prototype implementations in Firefox and Chrome. You can play with it here https://sanitizer-api.dev/

We think that we’ve made the best of many different tradeoffs, but we’re also keen to hear wide feedback.

[jstanley]

This sounds potentially useful, but I'm not sure about the practicality.

It's usually pretty easy to not write XSS vulnerabilities, as long as you know they are a thing you need to think about.

Given that people don't bother to avoid writing XSS bugs right now, why do you think they will bother to use your tool to avoid writing XSS bugs in the future?

[bugmen0t]

Given the new DOM API, it’s also relatively easy to forbid the "bad APIs" using something like eslint (at the source level) or Trusted Types (at runtime).

The hope is to also cater to frontend frameworks enough that they will adopt it. There are already some conversations.

[uneekname]

This is fantastic work! One thing I've been trying to accomplish on my own site is embedding others' HTML fragments along with CSS and/or fonts. I reckon there would be sanitization concerns for those technologies as well? I understand that might be outside the scope of your project, but I'd love to hear your thoughts on it.

[bugmen0t]

That’s pretty much the exact use case of a sanitizer.

[pxeger1]

Am I right that this makes the tradeoff of removing the possibility for vulnerabilities in specific web applications, but creates the (admittedly slimmer) chance for Universal-ish XSS in browsers?

[bugmen0t]

It’s a risk. That’s why there are bug bounty programs and open processes for the specification.

Browsers have a track record of being able to ship security bugs for severe issues within a day or two. Compare that to patching every individual website.

[ximm]

What is your opinion of Content Security Policies? Last time I looked it was praised as an XSS killer.

[codegeek]

They are hard to configure and get right. If you overdo it, it can cause lot of issues with real users.