-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why is there no type for style / CSS? #104
Comments
Do you mean the type for:
The reason for TT being CSS-agnostic is that we started with something that's limited in scope to prevent DOM XSS, and stylesheets cannot cause that (assuming |
All three would be useful. The The individual CSS properties case is trickier because it is not well known outside very specialized circles. There is a lot more ad-hoc code that will deal with raw strings today. This likely means that it is a more difficult upgrade path but also that this is an active vulnerable surface today which would benefit from Trusted Types. There is some significant overlap with CSS Typed OM ImageValue here is as well. That solves most issues on its own but tying it to a scoped policy might have additional value. |
You also need |
I'll look into how involved would the style types implementation be. |
We decided to focus the Trusted Types v1 on DOM XSS only, so protecting against style injections are not in scope for now. We can amend the API in the future revisions. |
It's possible to add support to custom types and custom sinks to the API like so: https://gist.github.com/koto/1d044f6029ee337beffb4487b80f8b02 |
CSP does consider it problematic and there have been some purely CSS-based exploits.
The text was updated successfully, but these errors were encountered: