Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should require-trusted-types-for support trusted scripts and trusted script URLs? #383

Closed
mbrodesser-Igalia opened this issue Jan 8, 2024 · 7 comments · Fixed by #407
Closed

Should require-trusted-types-for support trusted scripts and trusted script URLs? #383

mbrodesser-Igalia opened this issue Jan 8, 2024 · 7 comments · Fixed by #407

Comments

@mbrodesser-Igalia
Copy link
Collaborator

https://w3c.github.io/trusted-types/dist/spec/#require-trusted-types-for-csp-directive contains a note that currently only the enforcement of trusted types for DOM XSS injection sinks is supported. The corresponding ABNF form reflects that.

However trusted scripts (https://w3c.github.io/trusted-types/dist/spec/#trusted-script) and trusted script urls (https://w3c.github.io/trusted-types/dist/spec/#trused-script-url) are specified.
@koto
Copy link
Member

koto commented Jan 15, 2024

The note is technically correct, but unclear. The intention here was that there are 2 sink groups currently defined: DOM XSS and HTML. require-trusted-types-for 'script' enables enforcement of the DOM XSS sink group, but HTML is included then as well:

Since HTML parsers can create arbitrary elements, including scripts, and set arbitrary attributes, enabling the enforcement of any trusted-types-sink-group also implies enforcing types for HTML injection sinks.

@koto
Copy link
Member

koto commented Jan 15, 2024

I realized there must be another confusion here too. require-trusted-types-for 'script' is for all the sinks, with all three types (TrustedHTML, TrustedScript, TrustedScriptURL) defined in the spec. The script here might be misleading, it's meant to represent script execution (XSS), like script-src, and not the type.

@mbrodesser-Igalia
Copy link
Collaborator Author

I realized there must be another confusion here too. require-trusted-types-for 'script' is for all the sinks, with all three types (TrustedHTML, TrustedScript, TrustedScriptURL) defined in the spec.

Indeed, that was the confusion.

The script here might be misleading, it's meant to represent script execution (XSS), like script-src, and not the type.

script-execution instead of script would describe that. Alternatively, updating the documentation around it might suffice.

@mbrodesser-Igalia
Copy link
Collaborator Author

The note is technically correct, but unclear. The intention here was that there are 2 sink groups currently defined: DOM XSS and HTML. require-trusted-types-for 'script' enables enforcement of the DOM XSS sink group, but HTML is included then as well:

Thanks for the explanation. It seems https://w3c.github.io/trusted-types/dist/spec/#require-trusted-types-for-csp-directive could be simplified to require-trusted-types-for-script or require-trusted-types-for-script-execution. Then, sink groups would not be part of the normative spec. Sink groups could still be distinguished in the informal parts of the spec.
Or is there any intention to enrich require-trusted-types-forwith other values later?

Since HTML parsers can create arbitrary elements, including scripts, and set arbitrary attributes, enabling the enforcement of any trusted-types-sink-group also implies enforcing types for HTML injection sinks.

@lukewarlow
Copy link
Member

I was also initially confused by this, there was #256 which ended up not being valid but it's possible we'd want to add other sink groups in future and as such not want to limit the spec to just scripts.

Being pragmatic given this has shipped in Chromium already I think it might make sense just to clarify the spec language and any documentation (such as MDN) but leave it as it is currently?

@lukewarlow
Copy link
Member

Alternatively we could keep this as it is (maybe deprecated?) but introduce a new require-trusted-types directive but I don't know the cost:benefit ratio is worth it.

@koto
Copy link
Member

koto commented Jan 15, 2024

require-trusted-types-for 'script' seems more future proof, opening up the possibility for type-based enforcement for other web risks. This was requested in the past (#104) though the first and most important use case was DOM XSS. Sink groups in the spec are a preparation for that - we could remove them as well while keeping the CSP syntax. I'd rather the syntax stayed as-is for backwards compatibility.

So, in general, +1 to:

Being pragmatic given this has shipped in Chromium already I think it might make sense just to clarify the spec language and any documentation (such as MDN) but leave it as it is currently?

mbrodesser-Igalia added a commit to mbrodesser-Igalia/trusted-types that referenced this issue Jan 15, 2024
@mbrodesser-Igalia
Collect HTML injection sinks and DOM XSS injection sinks under XSS in…
84eff03 
…jection sinks

Allowed clarifying that all XSS injection sinks are covered by the
"trusted-types-sink-group" named 'script'.

Closes w3c#383
@mbrodesser-Igalia mbrodesser-Igalia mentioned this issue Jan 15, 2024
Closed
koto added a commit that referenced this issue Jan 16, 2024
@koto
Merged HTML parsing sinks with DOM XSS sinks.
57dc1a1 
Closes #383.
@koto koto mentioned this issue Jan 16, 2024
Merged
@koto koto closed this as completed in #407 Jan 16, 2024
koto added a commit that referenced this issue Jan 16, 2024
@koto
Merged HTML parsing sinks with DOM XSS sinks. (#407)
e8fb14f 
Closes #383.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@koto @lukewarlow @mbrodesser-Igalia