Proposal: XSS Prevention Enforcement

[Kovner]

We propose the following, and are interested in hearing your feedback:

• Prevent inline javascript. This means you will have to keep your javascript logic in separate files from your html
• Prevent loading of external (non-local) scripts. This means you will need to download any .js files you use in your web app and have the reference be to that local file.

[tjallingt]

Prevent inline javascript. This means you will have to keep your javascript logic in separate files from your html

Definitely a good idea, the problem being that a lot of things are "inline JavaScript". AFAIK just preventing script tags with children from appearing may not be nearly enough to ensure no JavaScript is inlined in the extension. see: https://sites.google.com/site/xssvulnerabilities/basic-stored-javascript-injection
But I think this is definitely a good idea to prevent at least the most basic XSS in a way that should not bother developers too much 👍

Prevent loading of external (non-local) scripts. This means you will need to download any .js files you use in your web app and have the reference be to that local file.

A while back i suggested on the prerelease forum that sub-resource integrity hashes might be a good idea to secure remote content although back then i suggested everything should be checked for integrity. Maybe it is an idea to register the hosts and integrity hashes of remote scripts? This has the major downside that people will need to update their .trex files if these files need to be updated but i hope people will not update their remote scripts too often...

However other then breaking the advantages that CDN's offer it really isn't that big of a deal to have to self host libraries that you use in your extension.

EDIT: now that i think of it, the non-local scripts would also make globally used extensions a bit of a pain because if you want to host your extension near your users you might need "region-specific" .trex files 😕

[johnDance]

The sandbox server has been created and is running for a few years now.