-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trusted Types #186
Comments
FYI, @bartoszniemczura is from Meta 😊 |
The title of the label clarifies that |
I guess this was the position in 2020 at least ... Did @othermaciej's concerns/comments get worked out? |
I posted this on Interop 2024 as well but posting across the position issues as well just in case it gets lost: Salesforce strongly supports the Trusted Types proposal, considering the imminent regulatory changes in the Netherlands and the broader EU, as outlined in the eIDAS Regulation. The U/PW.03 Standard of DigiD assessment demands the removal of 'unsafe-eval' from CSP, a challenge that will be mirrored across Europe. This presents critical compliance and potential reputation risks for our customers, especially in the public sector and healthcare. Trusted Types have shown efficacy in XSS risk reduction, demonstrated by Google's successful adoption. This underlines the standard's relevance and potential impact. |
I did not immediately understand the relation, but w3c/trusted-types#143 clarifies it a bit. Given Especially the existence of https://w3c.github.io/trusted-types/dist/spec/#default-policy-hdr suggests that when regulation is not aware of Trusted Types existing, Trusted Types, such regulation, and budget/deadlines might encourage application developers to do rather dangerous things. |
I can't speak for the spirit of the regulatory assessment, but a crucial difference between If the spirit aims to reduce the risk of XSS, and user-controlled data passed to |
@annevk in general, we need a mechanism for controlled evaluation, to reduce the risk of XSS, and that is the spirit of this new regulation. To that intent, TrustedTypes seems to be the leading candidate to pave the way, and in a sense, provide a mechanism to support legacy systems that were designed prior to the CSP era. I think @koto is on point with respect to @koto with respect to |
I'm very confused by the feedback from @gregwhitworth and @caridy. As @koto pointed out TT can't weaken CSP. @gregwhitworth @caridy is your hope that CSP is modified to have a non- Apart from that, it also seems concerning that the current draft reportedly lacks features Chromium has implemented (per mozilla/standards-positions#20 (comment)) and apparently also has features that are not being implemented? Such as On the flip-side the arguments presented in mozilla/standards-positions#20 (comment) are compelling and do make it seem like Trusted Types could be a valuable addition to the web platform. |
I'm also getting confused. TT is part of CSP headers today. I also understand that implementers see them as two different/separate pieces, but for a developer, you're effectively making changes to one header. The question is what changes a developer has to make to the header to support controlled evaluation to prevent XSS, it is not about what technology does the job under the hood. Additionally, and historically, implementers have found ways to support "legacy" browsers that only support a subset of the CSP headers supported by newer browsers, and that is great and desirable. This time around, there is another factor, regulators enforcing that a very particular CSP header (unsafe-eval) not to be present. We are going to be at odds with the regulators, and how are we going to overcome this? Either regulators change their position (very unlikely but possible), or we find ways to introduce CSP header changes that allows us to do control evaluation using TT while not having unsafe-eval present in the header. And as always, take that with a grain of salt because I'm just in the middle of the crossed fire here trying to figure how to articulate where we are today.
We are working with igalia to try to identify those, opening issues for each individual case, and try to come to agreements to move forward (e.g.: w3c/trusted-types#398). cc @lukewarlow |
To provide more context to this, I'm not aware of anything Chrome has shipped to stable that isn't in the spec. They additionally have implemented some features behind experimental flags, some such as We at Igalia are committed to bringing the specification up to scratch, I've already opened a number of issues to try and get answers to unanswered questions. |
Wrt to the CSP integration I can see value in a potential Of course this doesn't stop code running in browsers without CSP or with it disabled but that would seem out of scope for this. Regardless that discussion is best had in the relevant standards bodies just thought I'd try and provide a bit of additional context. |
Just throwing it out there. I know this has compat consequences, but given the real and perceived complexity in CSP, I could also envision that Trusted Types detangles its controls from CSP completely. |
@lukewarlow With "don't have access", do you mean
|
It would behave as if you have strict csp without unsafe-eval today. I believe there'd discussions surrounding the eval csp aspect elsewhere so I'll leave a comment there. Though that aspect is rather adjacent to trusted types API in general so I don't want to get caught up on that aspect. |
According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_eval_expressions it'd behave as a no-op. |
Colleagues and I discussed this once more and our suggestion is to mark this as ‘position: support’ one week from now with the ongoing caveat that standardization needs to be completed before we can feel fully confident about the implementation in WebKit. (The CSP integration issue discussed above has now moved to #355 (comment).) |
WebKittens
@annevk @hober @marcoscaceres
Title of the spec
Trusted Types
URL to the spec
https://www.w3.org/TR/trusted-types/
URL to the spec's repository
https://github.com/w3c/trusted-types/tree/main/spec
TAG Design Review URL
w3ctag/design-reviews#198
Mozilla standards-positions issue URL
mozilla/standards-positions#20
WebKit Bugzilla URL
No response
Radar URL
No response
Description
Trusted Types is an optional browser mechanism for web sites to help protect themselves against cross-site scripting (XSS) attacks. It limits the attack surface from potentially the entire code base to a handful of "policies" that a developer can implement and install, and the browser will then enforce. Trusted Types can help to ensure that risky parts of the DOM can only be used by data that has gone through such a developer-supplied policy.
Sharing some data points that might be useful to consider while evaluating the position:
XSS is still prevalent in Web Applications:
#1
vulnerability in HackerOne 2021 industry report#1
vulnerability in Bugcrowd 2021 Report#2
vulnerability in 2022 CWE Top 25 list#3
vulnerability in Injection category in 2021 OWASP report (note that the category contains other vulnerability types),#3
vulnerability in CVE charts in 2022Adoption across the Internet:
Existing Browser Support
Supporting Trusted Types in Safari would match the level of protection in other browsers and would add additional defense against XSS.
The text was updated successfully, but these errors were encountered: