Comments (4)
Somewhat related: DOMParser.parseFromString
(https://w3c.github.io/DOM-Parsing/#the-domparser-interface) returns a Document
. Should parseFromString be considered a HTML sink, and hence require TrustedHTML
?
Conversely, DOMParser is used as the building block of HTML sanitizers (https://github.com/cure53/DOMPurify/blob/987a1e5569a7a4d4db97a145a51ff1ceafde9b89/src/purify.js#L380), in which context it's assumed that it's safe to pass untrusted HTML to it (as long as the resulting Document is not attached without further sanitization).
The DOM-Parsing spec has no "security considerations" section, so it's not quite clear whether the intent is that parsing untrusted HTML is safe.
from trusted-types.
I've covered these document-creating functions in #50.
from trusted-types.
Regarding node adoption, it's an interesting case:
In Chrome, it seems that the scripts execute with from their original realm even after implicit adoption. If FF, this is behaving as expected.
My take on this would be to consider this out of scope. Same origin documents can also just script you directly. It's not the exact same vector, as here the TT-ed document is actively initiating the potentially malicious action, but this feels like an intentional I'm-going-out-of-my-way bypass.
from trusted-types.
Re: node adoption, we decided to put it out of scope for v1, and to add it as a security consideration:
https://wicg.github.io/trusted-types/dist/spec/##cross-document-vectors
from trusted-types.
Related Issues (20)
- Adopt Infra syntax throughout
- Event handler enforcement section wrong HOT 1
- [Meta] Upstream changes HOT 2
- HTML timers as specced won't work HOT 2
- Callback IDL types HOT 1
- New `script text` associated data and associated mechanisms need adding to SVGScriptElement
- "Validate the string in context" takes any value and calls "Get Trusted Type compliant string" which requires a TrustedType or a string HOT 12
- CSP sample for eval and Function HOT 4
- Get trusted type compliant attribute value sink HOT 1
- Improve test coverage of sink values HOT 1
- Check variable naming inside of getAttributeType and getPropertyType methods
- `execCommand` spec won't work HOT 7
- `createPolicy`'s permitted policy names are inconsistent with CSP's permitted policy names HOT 5
- faq.md outdated HOT 1
- Script element protection model HOT 2
- WPT for CSP header `trusted-types 'none' 'none'` missing HOT 7
- "Should Trusted Type policy creation be blocked by Content Security Policy?" passes "directive" instead of directive's name to "Create a violation object for global, policy, and directive"
- Spec / implementation mismatch with document.write/writeln HOT 8
- "Create a Trusted Type Policy" should specify the TypeError messages HOT 3
- Should SVGScriptElement have an IDL way to set a trusted script value? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from trusted-types.