feat: default policy in every Virtual DOM Environment

[dgitin]

No description provided.

[jdalton]

❤️

[caridy]

this file is about language intrinsics, trustedTypes is not an intrinsic, it is just a DOM API.

[dgitin]

It was the only way to avoid having it remapped, as far as my knowledge on the near-membrane code could help me. Any other way to prevent it from being remapped ?

[caridy]

that is the thing, you should remap it, and distort it but only after creating the default policy for the iframe right before remapping everything.

[caridy]

here is my hunch on why this is wrong: if you attempt to use the defaultPolicy object from global after the iframe is detached, it will blow up, because there is no active window behind it. it works for eval because eval is an intrinsic, but probably not for other DOM APIs. That is a hunch, but I don't see a test for that here, let's try it. Basically, inside the sandbox, something like eval(trustedTypes.defaultPolicy. createScript('1')), and that might throw because the DOM API fails due to the iframe being disconnected, while something like eval(1) might succeed just fine.

[caridy]

It seems to me that remapping is something that we could do, but distort the defaultPolicy instance with the one created prior to patching the iframe. That should be equivalent but more elegant.

[caridy]

this file is about language intrinsics, trustedTypes is not an intrinsic, it is just a DOM API.

[caridy]

this should probably be configurable.

[dgitin]

configurable now.

[caridy]

this should be done prior to remap rather than after remap, in which case you don't have to use the intrinsics trick.

[dgitin]

The remap will just overwrite everything, I did that and I couldn't get the policy to be installed. Adding it as an intrinsic prevents remapping which is a problem when we define our default policy. So this is the only place to do it and it has to be an intrinsic even though the language doesn't define it as one it was the only way I found to prevent it from being remapped and interfering with the rest of the things (remapping & main window default policy).

[caridy]

the policy is installed before the remap, that is the key here, after that, who cares much about what they see. It is true that you might also need to distort the defaultPolicy to do nothing since the default will kick-in if you return a string, it is sort of redundant.

[dgitin]

It seems to me that remapping is something that we could do, but distort the defaultPolicy instance with the one created prior to patching the iframe. That should be equivalent but more elegant.

The policy needs to be declared as being part of this window, not distorted. Once things are remapped declaring a default policy in the virtual env becomes a problem so if you know a more elegant way of achieving the same result I'd like to know about it.

[github-actions]

Metric	Coverage Percent	Covered / Total
Statements	80.75%	( 822/1018 )
Branches	61.24%	( 256/418 )
Functions	72.48%	( 79/109 )
Lines	80.49%	( 792/984 )
Total	73.74%

See detailed coverage

[jdalton]

It's configurable and done before remapping!

[caridy]

thanks for making these changes. can we add some tests for this?

[dgitin]

thanks for making these changes. can we add some tests for this?

Testing is problematic there is absolutely nothing set up at the moment to support this scenario. First, there is no policy to assert on in the virtual environment because the entire trustedTypes object gets remapped. Second, testing with Trusted Types is quite the challenge on this repo, the code needs to load once, declare the policies and then assert that evaluation is possible in the environment but not in the main window which would confirm that virtual environment run with their own TT policy. So definitely not as simple as just writing a test. The test is easy, the setting up, quite the opposite.