Added a script gadgets security considerations section.

See also WICG/sanitizer-api#20
koto · Mar 10, 2021 · 792d17a · 792d17a
1 parent 59eb17c
commit 792d17a
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 6 deletions.
diff --git a/dist/spec/index.html b/dist/spec/index.html
@@ -1486,7 +1486,7 @@
 </style>
   <meta content="Bikeshed version c5172e83, updated Fri Nov 20 15:35:20 2020 -0800" name="generator">
   <link href="https://w3c.github.io/webappsec-trusted-types/dist/spec/" rel="canonical">
-  <meta content="5efc88902109ecb82a99c721c5d5433acceb788f" name="document-revision">
+  <meta content="59eb17c3d46d8bf630b7b3d2cb9eeaf6a9d24567" name="document-revision">
 <style>/* style-autolinks */
 
 .css.css, .property.property, .descriptor.descriptor {
@@ -2047,7 +2047,7 @@
   <div class="head">
    <p data-fill-with="logo"><a class="logo" href="https://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2016/logos/W3C" width="72"> </a> </p>
    <h1 class="p-name no-ref" id="title">Trusted Types</h1>
-   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="2021-03-08">8 March 2021</time></span></h2>
+   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="2021-03-10">10 March 2021</time></span></h2>
    <div data-fill-with="spec-metadata">
     <dl>
      <dt>This version:
@@ -2196,7 +2196,8 @@ <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
       <li><a href="#cross-document-vectors"><span class="secno">5.1</span> <span class="content">Cross-document vectors</span></a>
       <li><a href="#deprecated-features"><span class="secno">5.2</span> <span class="content">Deprecated features</span></a>
       <li><a href="#plugins"><span class="secno">5.3</span> <span class="content">Plugin navigation</span></a>
-      <li><a href="#best-practices-for-policy-design"><span class="secno">5.4</span> <span class="content">Best practices for policy design</span></a>
+      <li><a href="#script-gadgets"><span class="secno">5.4</span> <span class="content">Script gadgets</span></a>
+      <li><a href="#best-practices-for-policy-design"><span class="secno">5.5</span> <span class="content">Best practices for policy design</span></a>
      </ol>
     <li>
      <a href="#implementation-considerations"><span class="secno">6</span> <span class="content">Implementation Considerations</span></a>
@@ -4021,7 +4022,17 @@ <h3 class="heading settled" data-level="5.3" id="plugins"><span class="secno">5.
    <p>Since plugin content in the web in general is being phased out for other
 security reasons, and their navigation model is in flux, we recommend authors
 to prevent that bypass vector by limiting the plugins altogether with <a data-link-type="dfn" href="https://w3c.github.io/webappsec-csp/#object-src" id="ref-for-object-src">object-src</a>. For example: <code>Content-Security-Policy: object-src: none</code>.</p>
-   <h3 class="heading settled" data-level="5.4" id="best-practices-for-policy-design"><span class="secno">5.4. </span><span class="content">Best practices for policy design</span><a class="self-link" href="#best-practices-for-policy-design"></a></h3>
+   <h3 class="heading settled" data-level="5.4" id="script-gadgets"><span class="secno">5.4. </span><span class="content">Script gadgets</span><a class="self-link" href="#script-gadgets"></a></h3>
+   <p>While Trusted Types logic is called on many operations that results in creating
+DOM trees from string, it should not be treated as a mechanism for guarding all
+DOM tree creation in a document. This is important especially in the presence of <a href="https://github.com/google/security-research-pocs/tree/master/script-gadgets">script gadgets</a>,
+where an application reacts to contents of usually begign DOM elements or attributes.
+Developers using DOM API directly can trigger such gadgets without using
+Trusted Types. However, in order for the gadget to trigger DOM XSS, it needs to
+obtain a Trusted Type value via a policy. Authors need to ascertain that the data
+passed to Trusted Type policies is indeed trustworthy, if the policy rules don’t
+enforce constraints or validate the data themselves.</p>
+   <h3 class="heading settled" data-level="5.5" id="best-practices-for-policy-design"><span class="secno">5.5. </span><span class="content">Best practices for policy design</span><a class="self-link" href="#best-practices-for-policy-design"></a></h3>
    <p>Trusted Types limit the scope of the code that can introduce
 vulnerabilities via <a data-link-type="dfn" href="#injection-sink" id="ref-for-injection-sink②⑥">injection sinks</a> to the implementation of <a data-link-type="dfn" href="#policies" id="ref-for-policies⑥">policies</a>.
 In this design, insecure policies can still expose <a data-link-type="dfn" href="#injection-sink" id="ref-for-injection-sink②⑦">injection sinks</a> to untrusted data.
@@ -5158,7 +5169,7 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
     <li><a href="#ref-for-injection-sink②②">4.7.2. trusted-types directive</a> <a href="#ref-for-injection-sink②③">(2)</a>
     <li><a href="#ref-for-injection-sink②④">4.7.3. Should sink type mismatch violation be blocked by Content Security Policy?</a>
     <li><a href="#ref-for-injection-sink②⑤">5. Security Considerations</a>
-    <li><a href="#ref-for-injection-sink②⑥">5.4. Best practices for policy design</a> <a href="#ref-for-injection-sink②⑦">(2)</a>
+    <li><a href="#ref-for-injection-sink②⑥">5.5. Best practices for policy design</a> <a href="#ref-for-injection-sink②⑦">(2)</a>
     <li><a href="#ref-for-injection-sink②⑧">6.1. Vendor-specific Extensions and Addons</a>
    </ul>
   </aside>
@@ -5254,7 +5265,7 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
     <li><a href="#ref-for-policies③">2.4. Enforcement</a>
     <li><a href="#ref-for-policies④">2.4.1. Content Security Policy</a>
     <li><a href="#ref-for-policies⑤">4.7.2. trusted-types directive</a>
-    <li><a href="#ref-for-policies⑥">5.4. Best practices for policy design</a>
+    <li><a href="#ref-for-policies⑥">5.5. Best practices for policy design</a>
    </ul>
   </aside>
   <aside class="dfn-panel" data-for="trustedtypepolicyfactory">

diff --git a/spec/index.bs b/spec/index.bs
@@ -1987,6 +1987,19 @@ security reasons, and their navigation model is in flux, we recommend authors
 to prevent that bypass vector by limiting the plugins altogether with
 [=object-src=]. For example: `Content-Security-Policy: object-src: none`.
 
+## Script gadgets
+
+While Trusted Types logic is called on many operations that results in creating
+DOM trees from string, it should not be treated as a mechanism for guarding all
+DOM tree creation in a document. This is important especially in the presence of
+[script gadgets](https://github.com/google/security-research-pocs/tree/master/script-gadgets),
+where an application reacts to contents of usually begign DOM elements or attributes.
+Developers using DOM API directly can trigger such gadgets without using
+Trusted Types. However, in order for the gadget to trigger DOM XSS, it needs to
+obtain a Trusted Type value via a policy. Authors need to ascertain that the data
+passed to Trusted Type policies is indeed trustworthy, if the policy rules don't
+enforce constraints or validate the data themselves.
+
 ## Best practices for policy design ## {#best-practices-for-policy-design}
 
 Trusted Types limit the scope of the code that can introduce