-
Notifications
You must be signed in to change notification settings - Fork 11.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: Trusted Types support #64975
Conversation
You have successfully added a new CodeQL configuration |
|
@ryantxu I've refactored the code so we can reach The |
We might do the News/rss sanitization in another PR. |
docs/sources/setup-grafana/configure-security/configure-security-hardening/index.md
Outdated
Show resolved
Hide resolved
docs/sources/setup-grafana/configure-security/configure-security-hardening/index.md
Outdated
Show resolved
Hide resolved
docs/sources/setup-grafana/configure-security/configure-security-hardening/index.md
Outdated
Show resolved
Hide resolved
Co-authored-by: Kristian Bremberg <114284895+KristianGrafana@users.noreply.github.com>
pkg/api/dtos/index.go
Outdated
CSPContent string | ||
CSPEnabled bool | ||
TestModeEnabled bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need all three? Why send CSPContent to the frontend if it is not enabled?
Can we derive TrustedTypesEnabled
from the CSP content? IIUC, it would be invalid we say trusted types are enabled, but the CSP content does not (and the reverse)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
|
To try this PR, enable the feature flag
trustedTypes
.Trusted Types is security mechanism that locks down DOM API's that often provides sinks that are used when exploiting DOM XSS. By using trusted types you will force the string to be handled (preferably sanitized) before the string can be used by the API. Trusted types provides a robust defense against DOM XSS. Trusted types is currently only supported in Chrome.
This PR shows a minimal working PoC that uses
createHTML
,createScript
andcreateScriptURL
. Currently each one of them uses a different method; sanitizing via a library (DOMPurify), inline sanitizing and do nothing.Grafana uses many third-party libraries that we can not control, but we do have some first party code that we can change to either return a trusted type object or refactor the code to not use unsafe DOM API's. These will be documented in this PR.
Added things
How to use
Enable Trusted Types without implementation (to see errors)
content_security_policy_report_only = true
require-trusted-types-for 'script';
tocontent_security_policy_report_only_template
disable_sanitize_html = true
in order to see errorsTest implementation
trustedTypes = true