New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: XSS Prevention Enforcement #103
Comments
Definitely a good idea, the problem being that a lot of things are "inline JavaScript". AFAIK just preventing script tags with children from appearing may not be nearly enough to ensure no JavaScript is inlined in the extension. see: https://sites.google.com/site/xssvulnerabilities/basic-stored-javascript-injection
A while back i suggested on the prerelease forum that sub-resource integrity hashes might be a good idea to secure remote content although back then i suggested everything should be checked for integrity. Maybe it is an idea to register the hosts and integrity hashes of remote scripts? This has the major downside that people will need to update their .trex files if these files need to be updated but i hope people will not update their remote scripts too often... However other then breaking the advantages that CDN's offer it really isn't that big of a deal to have to self host libraries that you use in your extension. EDIT: now that i think of it, the non-local scripts would also make globally used extensions a bit of a pain because if you want to host your extension near your users you might need "region-specific" .trex files 😕 |
The sandbox server has been created and is running for a few years now. |
We propose the following, and are interested in hearing your feedback:
The text was updated successfully, but these errors were encountered: