Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cover missing sinks #169

Closed
koto opened this issue May 9, 2019 · 2 comments
Closed

Cover missing sinks #169

koto opened this issue May 9, 2019 · 2 comments
Assignees
@mikesamuel
Labels
polyfill spec
Milestone
v1

Comments

@koto
Copy link
Member

koto commented May 9, 2019
edited
Loading

  • HTMLElement.manifest
  • Link.imagesrcset
  • (a|area|svg:a) ping (space separated URLs)

There's also some URLs that don't seem to be used by the user agent in any way:

  • blockquote cite
  • * itemid
  • * itemprop
  • * itemtype
@koto koto changed the title Cover missing types Cover missing sinks May 10, 2019
@koto koto added this to the v1 milestone Jun 24, 2019
@koto koto added the spec label Jun 24, 2019
@mikesamuel mikesamuel self-assigned this Jul 3, 2019
@koto
Copy link
Member Author

koto commented Jul 3, 2019

Blob constructor as well. We should require TrustedHTML if the Blob type is one of the HTML types. It seems fine to allow for contructing Blobs from non-DOMstring arguments.

While usually the blobs are used in new documents, like iframes, where they can simply trigger in-origin XSS from user input, they can also be used to create nodes from strings like this:

b = new  Blob([`<script>alert(1)</script>`], {type: 'text/html'})
xhr = new XMLHttpRequest();
xhr.responseType = 'document'; 
xhr.open('GET', URL.createObjectURL(b), true); 
xhr.send();
// ...
xhr.response.scripts[0] // a new script node.

@koto koto added the polyfill label Jul 17, 2019
@koto koto mentioned this issue Aug 6, 2019
Merged
koto added a commit that referenced this issue Sep 4, 2019
@koto
Replace TrustedURL with calling a default policy on navigation to jav…
d14d694 
…ascript: URLs. (#204)

This removes the burden from all authors to create types when interacting with common sinks that usually don't cause DOM XSS (unless for javascript: URLs).

This PR prevents javascript: URLs from working by default, and allows programmatic opt-in to enable them one-by-one for the few applications that need them.

Related to #176.
Partially addresses #169.
Fixes #64.
@koto koto mentioned this issue Oct 21, 2019
Closed
@koto
Copy link
Member Author

koto commented Mar 2, 2020

The sinks mentioned in #169 (comment) self-deprecated with TrustedURL.

Blob is complicated, and it seems like TT can't solve it alone. In general, TT are bypassable with a colluding same-origin document (https://w3c.github.io/webappsec-trusted-types/dist/spec/#cross-document-vectors) - a problem that Blobs surface. It looks like a better primitive would be to make Blobs inherit the creator's policies - w3c/FileAPI#142, or allow for cross-origin/sandboxed blob creation, perhaps by default.

@koto koto closed this as completed Mar 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mikesamuel mikesamuel

Labels
polyfill spec
Projects
None yet
Milestone
v1
Development

No branches or pull requests
2 participants
@koto @mikesamuel