Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Trusted Types #186

Closed
bartoszniemczura opened this issue May 15, 2023 · 16 comments
Closed

Trusted Types #186

bartoszniemczura opened this issue May 15, 2023 · 16 comments
Labels
concerns: complexity This proposal seems needlessly complex from: Google Proposed, edited, or co-edited by Google. position: support topic: javascript Spec relates to the JavaScript programming language topic: security venue: W3C Web Application Security WG Proposal is being reviewed in the W3C's Web Application Security WG (aka WebAppSec)

Comments

@bartoszniemczura
Copy link

bartoszniemczura commented May 15, 2023

WebKittens

@annevk @hober @marcoscaceres

Title of the spec

Trusted Types

URL to the spec

https://www.w3.org/TR/trusted-types/

URL to the spec's repository

https://github.com/w3c/trusted-types/tree/main/spec

TAG Design Review URL

w3ctag/design-reviews#198

Mozilla standards-positions issue URL

mozilla/standards-positions#20

WebKit Bugzilla URL

No response

Radar URL

No response

Description

Trusted Types is an optional browser mechanism for web sites to help protect themselves against cross-site scripting (XSS) attacks. It limits the attack surface from potentially the entire code base to a handful of "policies" that a developer can implement and install, and the browser will then enforce. Trusted Types can help to ensure that risky parts of the DOM can only be used by data that has gone through such a developer-supplied policy.

Sharing some data points that might be useful to consider while evaluating the position:

  • XSS is still prevalent in Web Applications:

  • Adoption across the Internet:

    • Meta, Microsoft and Google indicated in W3C WebAppSec forum that they have successfully deployed Trusted Types in number of their applications and that they recommend its usage across Web Applications,
    • https://mitigation.supply/ - Trusted Types enforcement in 14% of Chromes's page loads (from 10% in March 2022). Strict CSP enforcement at 25%.
    • HTTPArchive crawls (credentialless scans) show enforcing CSP with Trusted Types served on >200 non-Google-related domains in March 2023. >160 domains serve report-only CSP. Some of those are served on login pages (e.g. auth.heroku.com, app.knudge.com, login.erply.com), suggesting integration in underlying web applications.
  • Existing Browser Support

Supporting Trusted Types in Safari would match the level of protection in other browsers and would add additional defense against XSS.

@hober hober added topic: javascript Spec relates to the JavaScript programming language venue: W3C Web Application Security WG Proposal is being reviewed in the W3C's Web Application Security WG (aka WebAppSec) topic: security labels May 18, 2023
@hober hober added the from: Google Proposed, edited, or co-edited by Google. label May 18, 2023
@hober hober moved this from Unscreened to Needs assignees in Standards Positions Review Backlog May 18, 2023
@hober hober added the concerns: complexity This proposal seems needlessly complex label May 18, 2023
@shhnjk
Copy link

shhnjk commented May 18, 2023

FYI, @bartoszniemczura is from Meta 😊

@annevk
Copy link
Contributor

annevk commented May 22, 2023

The title of the label clarifies that from: is not about who is asking the WebKit community, but rather who the proposal is from. So this is accurate.

@bkardell
Copy link

I guess this was the position in 2020 at least ... Did @othermaciej's concerns/comments get worked out?

@gregwhitworth
Copy link

I posted this on Interop 2024 as well but posting across the position issues as well just in case it gets lost:

Salesforce strongly supports the Trusted Types proposal, considering the imminent regulatory changes in the Netherlands and the broader EU, as outlined in the eIDAS Regulation.

The U/PW.03 Standard of DigiD assessment demands the removal of 'unsafe-eval' from CSP, a challenge that will be mirrored across Europe. This presents critical compliance and potential reputation risks for our customers, especially in the public sector and healthcare.

Trusted Types have shown efficacy in XSS risk reduction, demonstrated by Google's successful adoption. This underlines the standard's relevance and potential impact.

@annevk
Copy link
Contributor

annevk commented Dec 2, 2023

I did not immediately understand the relation, but w3c/trusted-types#143 clarifies it a bit. Given TrustedScript.fromLiteral() from https://w3c.github.io/trusted-types/dist/spec/#trusted-script it appears as if Trusted Types would allow you to bypass the spirit of that assessment. As in, instead of eval('something()') you'd write eval(TrustedScript.fromLiteral(`something()`)) and it would not be considered "unsafe". I hope I'm misunderstanding something. Could you clarify perhaps?

Especially the existence of https://w3c.github.io/trusted-types/dist/spec/#default-policy-hdr suggests that when regulation is not aware of Trusted Types existing, Trusted Types, such regulation, and budget/deadlines might encourage application developers to do rather dangerous things.

@koto
Copy link

koto commented Dec 2, 2023

I can't speak for the spirit of the regulatory assessment, but a crucial difference between eval and TrustedScript.fromLiteral case is that the latter cannot be a DOM XSS, since the value passed to fromLiteral has to literally be present in a code, with no interpolation allowed.

If the spirit aims to reduce the risk of XSS, and user-controlled data passed to eval is recognized as a significant part of the problem, fromLiteral addresses that completely. The letter of the regulation, however, seems to be mostly concerned about the presence of unsafe keywords in CSP, which TT actually doesn't change. In other words, eval(TrustedScript.fromLiteral(`something`) still throws if a document has a script-src CSP without unsafe-eval. TT don't relax existing CSP restrictions, only add to them.

@caridy
Copy link

caridy commented Dec 4, 2023

@annevk in general, we need a mechanism for controlled evaluation, to reduce the risk of XSS, and that is the spirit of this new regulation. To that intent, TrustedTypes seems to be the leading candidate to pave the way, and in a sense, provide a mechanism to support legacy systems that were designed prior to the CSP era.

I think @koto is on point with respect to TrustedScript.fromLiteral, that should not be an issue for us at salesforce, although I don't think fromLiteral was ever implemented (I suspect due to its complexity). Neither it is the default token, we managed to add abstractions everywhere we do a control evaluation in our codebase, we didn't manage to remove the evaluation though.

@koto with respect to unsafe-eval presence, I hope that we can find a solution that blocks eval in non-TT compatible browsers (even if that means degraded service), while allowing controlled evaluation in newer browsers with TT enabled. That is the ask, and to that extend, introducing a new csp rule that is somewhat redundant to unsafe-eval seems fine to me.

@annevk
Copy link
Contributor

annevk commented Jan 15, 2024

I'm very confused by the feedback from @gregwhitworth and @caridy. As @koto pointed out TT can't weaken CSP.

@gregwhitworth @caridy is your hope that CSP is modified to have a non-unsafe-eval rule that nonetheless allows eval() when TT is used because something in TT makes that okay? And that this would satisfy the DigiD regulation? That seems like a lot of hypotheticals? Or are there concrete proposals here to evaluate?


Apart from that, it also seems concerning that the current draft reportedly lacks features Chromium has implemented (per mozilla/standards-positions#20 (comment)) and apparently also has features that are not being implemented? Such as fromLiteral?

On the flip-side the arguments presented in mozilla/standards-positions#20 (comment) are compelling and do make it seem like Trusted Types could be a valuable addition to the web platform.

@caridy
Copy link

caridy commented Jan 16, 2024

@annevk

As @koto pointed out TT can't weaken CSP.

I'm also getting confused. TT is part of CSP headers today. I also understand that implementers see them as two different/separate pieces, but for a developer, you're effectively making changes to one header. The question is what changes a developer has to make to the header to support controlled evaluation to prevent XSS, it is not about what technology does the job under the hood. Additionally, and historically, implementers have found ways to support "legacy" browsers that only support a subset of the CSP headers supported by newer browsers, and that is great and desirable. This time around, there is another factor, regulators enforcing that a very particular CSP header (unsafe-eval) not to be present. We are going to be at odds with the regulators, and how are we going to overcome this? Either regulators change their position (very unlikely but possible), or we find ways to introduce CSP header changes that allows us to do control evaluation using TT while not having unsafe-eval present in the header. And as always, take that with a grain of salt because I'm just in the middle of the crossed fire here trying to figure how to articulate where we are today.

Apart from that, it also seems concerning that the current draft reportedly lacks features Chromium has implemented (per mozilla/standards-positions#20 (comment)) and apparently also has features that are not being implemented? Such as fromLiteral?

We are working with igalia to try to identify those, opening issues for each individual case, and try to come to agreements to move forward (e.g.: w3c/trusted-types#398). cc @lukewarlow

@lukewarlow
Copy link
Member

Apart from that, it also seems concerning that the current draft reportedly lacks features Chromium has implemented (per mozilla/standards-positions#20 (comment)) and apparently also has features that are not being implemented? Such as fromLiteral?

To provide more context to this, I'm not aware of anything Chrome has shipped to stable that isn't in the spec. They additionally have implemented some features behind experimental flags, some such as fromLiteral are in the spec atm (though see w3c/trusted-types#398 for discussion on deferring that to level 2), others such as the beforecreatepolicy event aren't specced (see w3c/trusted-types#270 for the discussion about it, this too will be deferred to v2 but I've requested a spec PR based on Chrome's implementation to evaluate).

We at Igalia are committed to bringing the specification up to scratch, I've already opened a number of issues to try and get answers to unanswered questions.

@lukewarlow
Copy link
Member

Wrt to the CSP integration I can see value in a potential trusted-eval (name tbd) expression to replace unsafe-eval. This new value along with the existing trusted types directives could create a situation where trusted types are enforced on eval (etc) and in unsupporting browsers you don't have access to eval at all (as opposed to unsafe where you would fallback to lower security). This would seem to address the regulatory requirements while also providing actual value in the form of additional security guarantees.

Of course this doesn't stop code running in browsers without CSP or with it disabled but that would seem out of scope for this.

Regardless that discussion is best had in the relevant standards bodies just thought I'd try and provide a bit of additional context.

@mozfreddyb
Copy link

Just throwing it out there. I know this has compat consequences, but given the real and perceived complexity in CSP, I could also envision that Trusted Types detangles its controls from CSP completely.

@mbrodesser-Igalia
Copy link

mbrodesser-Igalia commented Jan 18, 2024

Wrt to the CSP integration I can see value in a potential trusted-eval (name tbd) expression to replace unsafe-eval. This new value along with the existing trusted types directives could create a situation where trusted types are enforced on eval (etc) and in unsupporting browsers you don't have access to eval at all

@lukewarlow With "don't have access", do you mean eval becomes a no-op, or something else?

(as opposed to unsafe where you would fallback to lower security). This would seem to address the regulatory requirements while also providing actual value in the form of additional security guarantees.

Of course this doesn't stop code running in browsers without CSP or with it disabled but that would seem out of scope for this.

Regardless that discussion is best had in the relevant standards bodies just thought I'd try and provide a bit of additional context.

@lukewarlow
Copy link
Member

It would behave as if you have strict csp without unsafe-eval today. I believe there'd discussions surrounding the eval csp aspect elsewhere so I'll leave a comment there.

Though that aspect is rather adjacent to trusted types API in general so I don't want to get caught up on that aspect.

@mbrodesser-Igalia
Copy link

According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_eval_expressions it'd behave as a no-op.

@annevk
Copy link
Contributor

annevk commented Jun 17, 2024

Colleagues and I discussed this once more and our suggestion is to mark this as ‘position: support’ one week from now with the ongoing caveat that standardization needs to be completed before we can feel fully confident about the implementation in WebKit.

(The CSP integration issue discussed above has now moved to #355 (comment).)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
concerns: complexity This proposal seems needlessly complex from: Google Proposed, edited, or co-edited by Google. position: support topic: javascript Spec relates to the JavaScript programming language topic: security venue: W3C Web Application Security WG Proposal is being reviewed in the W3C's Web Application Security WG (aka WebAppSec)
Development

No branches or pull requests