Ensure at least one representative of all classes of injection sinks is guarded with TT #419
Comments
I'm not sure I follow. Do you propose to only cover 3 sinks in total in v1 of the spec, or the Gecko implementation, or something else? The sinks listed in the spec and WPT all need to be covered in whatever implementation at the moment of shipping any version of the spec - anything else will result in observable differences in websites that already enforce TT (For example, the default policy would be called in one browser, and not called in the other for some sinks). I'm not opposed to stopping at some point, and listing some of the rarer, or more obscure sinks as level 2, but I think level 1 should be covering what's in the spec vs 1 exemplary sink from 3 classes, as that doesn't match what the authors would expect from a security feature. |
mbrodesser-Igalia
changed the title
Agreed.
Agreed. That is, all sinks which the spec currently already covers, should continue to be covered. Others, potentially like the one mentioned at #385 (comment) and in the ones in the comments following it, are candidates for v2. |
|
Does this issue need to remain open? Idk if there's anything actionable from it? |
No.
No. |
Classes of injection sinks are:
someScript.src = someSrc.eval(someString).someScriptElement.setAttribute("src", someSrc).This is required in order to ensure all injection sinks can be guarded with TT. Finding out later, that some classes can't be covered would violate the second goal of https://w3c.github.io/trusted-types/dist/spec/#goals: "Encourage a design in which security decisions are encapsulated within a small part of the application."
This allows shipping v1 without guarding all injection sinks. Covering the remaining sinks (#385) could be done in v2.
StringContextattribute (https://w3c.github.io/trusted-types/dist/spec/#StringContext).script.setAttribute('src')#402.Feedback here is appreciated.
The text was updated successfully, but these errors were encountered: