-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider implicit node / subtree adoption #49
Comments
Somewhat related: Conversely, DOMParser is used as the building block of HTML sanitizers (https://github.com/cure53/DOMPurify/blob/987a1e5569a7a4d4db97a145a51ff1ceafde9b89/src/purify.js#L380), in which context it's assumed that it's safe to pass untrusted HTML to it (as long as the resulting Document is not attached without further sanitization). The DOM-Parsing spec has no "security considerations" section, so it's not quite clear whether the intent is that parsing untrusted HTML is safe. |
I've covered these document-creating functions in #50. |
Regarding node adoption, it's an interesting case: In Chrome, it seems that the scripts execute with from their original realm even after implicit adoption. If FF, this is behaving as expected. My take on this would be to consider this out of scope. Same origin documents can also just script you directly. It's not the exact same vector, as here the TT-ed document is actively initiating the potentially malicious action, but this feels like an intentional I'm-going-out-of-my-way bypass. |
Re: node adoption, we decided to put it out of scope for v1, and to add it as a security consideration: https://wicg.github.io/trusted-types/dist/spec/##cross-document-vectors |
8.2 DOM Core says
IIUC, before, taking a DOM subtree from
<template>
's and same-origin<iframe>
's content documents and moving it into the DOM required an explicitdocument.importNode
step.That now happens auto-magically.
This means that
insertChild
and related methods can now take nodes from different Realms' documents.Do we need to guard against DOM subtrees that were created using different policy sets?
May depend on how we address #42
The text was updated successfully, but these errors were encountered: