Adressing cross-document vectors comprehensively relies on "origin-policy" which is a proposal which is on hold #422
Milestone
Comments
|
https://w3c.github.io/webappsec-csp/#security-inherit-csp applies only to local schemes. So non-local schemes are not addressed. |
|
https://w3c.github.io/trusted-types/dist/spec/#cross-document-vectors mentions https://github.com/WICG/origin-policy to address cross-document vectors comprehensively. However, the latter is a proposal which is on hold. |
mbrodesser-Igalia
changed the title
|
Are there alternatives? |
|
I don't think there are, at least in Web APIs? For TT (or, more generally, CSP) it's a known limitation. Controls are per-document or realm, whereas XSS affects the whole origin. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://w3c.github.io/trusted-types/dist/spec/#cross-document-vectors mentions that.
Examples of instances not addressable appreciated.
The text was updated successfully, but these errors were encountered: