Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trusted Types #232

Open
Malvoz opened this issue Feb 12, 2020 · 7 comments
Open

Trusted Types #232

Malvoz opened this issue Feb 12, 2020 · 7 comments

Comments

@Malvoz
Copy link

Malvoz commented Feb 12, 2020

Consider adding the trusted-types and require-trusted-types-for directives.
@kingthorin
Copy link
Contributor

Google CSP evaluator is already including it and Chrome, Edge, Opera and Android browsers are supporting it.

Ref: zaproxy/zaproxy#6602

@kingthorin
Copy link
Contributor

Any chance this will be added/handled anytime soon?

@kingthorin
Copy link
Contributor

Or is there something I could model it after and raise a PR?

@sideshowbarker sideshowbarker mentioned this issue Feb 7, 2022
Open
@kingthorin
Copy link
Contributor

@bakkot Any tips on tackling this one? I think I’m ready to give it a shot. I can start totally in the dark but any tips to make the PR require potentially less review/revision would be wonderful.

@bakkot
Copy link
Member

bakkot commented Apr 6, 2022
edited
Loading

The process will be basically

  • define new Value kinds for new directive values which are more complex than just a boolean. At a glance, you probably want a special Value kind for tt-policy-name, but the others look like they can be handled as booleans on the directive.
  • define new Directives kind for both new directives ("trusted-types" and ("require-trusted-types-for")
    • add helpers to allow reading and writing their attributes, and ensure that updating keeps their internal values field up to date (by using the addValue and removeValueIgnoringCase helpers, mainly)
  • update the parser to handle them
  • add tests
  • optionally add helpers for queries like "Should Trusted Type policy creation be blocked by Content Security Policy?", though these aren't so important.

The main challenges in my experience is figuring out what the spec is trying to say and whether that's actually what browsers do. For example, it says the syntax is defined by an ABNF, which means keywords are case-insensitive ("ABNF strings are case insensitive"). So per spec, 'ALLow-DUPlicATES' is a legal way to write 'allow-duplicates'. Is that actually intentional? Is that what browsers do? Gotta check. Similarly, are policy names case-sensitive or not? That affects the representation and especially the manipulation of those Values.

@kingthorin
Copy link
Contributor

Thank you!

@kingthorin
Copy link
Contributor

I've started and given up on this a few times. If someone else feels like giving it a go please don't wait on me coming through 😞

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bakkot @kingthorin @Malvoz