You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
https://microsoftedge.github.io/edgevr/posts/eliminating-xss-with-trusted-types/ is a blog post about using it with trusted-types 'none'. Element likely uses various libraries which would require making Trusted Types policies rather than using the safer 'none' approach avoiding trust in sanitizers, etc. Using 'none' is a good long-term goal. Requiring Trusted Types and making policies to make the current messy setup work is a realistic short term goal.
Trusted Types is the single most important defense against XSS for a static site like Element. It's also important to have script-src 'self' and ideally style-src 'self' but it's less impactful. That's just the beginning of providing a secure setup. There's a whole lot more to do with CSP and then protecting against side channel by properly setting up headers for cross-origin isolation.
Is your suggestion related to a problem? Please describe.
Element uses unsafe DOM manipulation which poses a risk of cross-site scripting and other attacks.
Describe the solution you'd like.
Remove the unsafe DOM manipulation and set
Content-Security-Policy: require-trusted-types-for 'script'; trusted-types 'none'
Describe alternatives you've considered.
None
Additional context
The text was updated successfully, but these errors were encountered: