Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Collect HTML injection sinks and DOM XSS injection sinks under XSS injection sinks #404

Conversation

mbrodesser-Igalia
Copy link
Collaborator

Allowed clarifying that all XSS injection sinks are covered by the
"trusted-types-sink-group" named 'script'.

Closes #383

…jection sinks

Allowed clarifying that all XSS injection sinks are covered by the
"trusted-types-sink-group" named 'script'.

Closes w3c#383
@@ -67,10 +67,10 @@ if `aString` contains untrusted data, `foo[bar] = aString` is a statement
that potentially can trigger a vulnerability, depending on a value
of `foo` and `bar`.

This document focuses on preventing DOM-Based Cross-Site Scripting
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please keep the DOM-Based XSS or DOM XSS in the spec text (and the link fragments). Trusted Types only covers DOM XSS (Type 0 XSS). The name is a bid misleading, but DOM XSS covers all sinks available to client side code (i.e. DOM API sinks, but also eval, Location etc). This is as opposed to server-side XSSes (Type 1 and 2).

This applies to all mentions below.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree. Thanks for the explanation.

@@ -205,14 +205,17 @@ it's not easy to distinguish one from the other.
This document organizes the injection sinks into groups, based on the
capabilities that sinks in a given group have. [=Enforcement=] for groups is controlled via <a>trusted-types-sink-group</a> values.

### HTML injection sinks ### {#html-injection-sinks}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps it might be easier to just merge those two existing sections, and separate them once there is another use case specified?

#407

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree.

@mbrodesser-Igalia mbrodesser-Igalia deleted the 383_collect_html_injection_sinks_and_dom_xss_injection_sinks_under_xss_injection_sinks branch January 16, 2024 11:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Should require-trusted-types-for support trusted scripts and trusted script URLs?
2 participants