-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider dropping TrustedURL #65
Comments
If present in trusted-types directive, it will treat all http: and https: URLs like TrustedURLs. Fixes w3c#65. Such behavior still allows the sites to have a custom, type-only policy for URL sinks (even for policies that allow javascript: URLs and custom schemes), while allowing a relaxed (but DOM-XSS free) for sites that commonly use regular http(s): URLs in URL sinks.
CSP One more non-XSS reason for the websites to want to guard URL creation is HTTP authorization prompts from subresources, that could be used for phishing. See e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1357835 and https://bugs.chromium.org/p/chromium/issues/detail?id=239918 |
We started integrating the application with the polyfill. So far the biggest obstacle is the
TrustedURL
enforcement. It turns out linking to other content is common in the web (who knew?).Guarding how application produces URLs is important for XSS prevention because of a presence of scriptable protocols like
javascript:
(same-origin) ordata:
(cross-origin). Historically, there were also other URL schemes likejar:
that could result in an XSS.It's also desirable for non-XSS related reasons. Some examples:
tel:
], (https://tools.ietf.org/html/rfc3966#section-11),facetime:
, android intents,chrome-extension://
)http:
resource is fetched from ahttps:
documentiframes
from malicious URLs may enable exploitation of other bugs (e.g. when apostMessage
channel is established without verifying peer origins).action
orformaction
attributes may exfiltrate data (usually, credentials)<base>
URL might be used to hijack all relative links.However, in practice, for DOM XSS prevention alone it's enough if following the URL will not execute a script in a same-origin document. The check for this is simply - after parsing, and making the URL absolute, make sure it's not a
javascript:
one. In other words, there's no user-controlled sanitization required fora.href
and other standard URL sinks. It's enough if the document behaves like it would underscript-src *
, withoutunsafe-inline
keyword.In that spirit, we might simply drop the
TrustedURL
type and mandate that, under TT enforcement the host environment disablesjavascript
URLs (like if there was ascript-src
withoutunsafe-inline
). Such behavior is polyfillable (e.g.URL
may be used to correctly parse a URL and extract the protocol). This offers a very simple DOM XSS containment (only policies may introduce DOM XSS) setting:Content-Security-Policy: trusted-types [policy-list]
Authors could still introduce additional restrictions to URLs via
*-src
directives ornavigate-to
to address risks other than DOM XSS via URLs.The text was updated successfully, but these errors were encountered: