Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Define rules for TT when multiple headers are present #178

Closed
koto opened this issue Jun 1, 2019 · 3 comments
Closed

Define rules for TT when multiple headers are present #178

koto opened this issue Jun 1, 2019 · 3 comments
Labels
Milestone

Comments

@koto
Copy link
Member

@koto koto commented Jun 1, 2019

Likely, if we decide to stick with CSP (#1), we'd want to apply each policy separately to align with other CSP directive. That means e.g. that the policy name list is the intersection of the lists in all headers.

For example:

header('content-security-policy: trusted-types 1a 1b common');
header('content-security-policy: trusted-types 2a 2b common');
header('content-security-policy-report-only: trusted-types 3a 3b; report-uri /');

This header combination should only allow common, and reject 1a, 1b, 2a and 2b. Additionally, it will report only warn on anything that is not 3a or 3b, including common.

Currently, in Chrome the last CSP and CSP-RO header is applied. Polyfill only allows passing it a single header.

@koto koto changed the title Define rules for TT wen multiple headers are present Define rules for TT when multiple headers are present Jun 1, 2019
@koto koto added this to the v1 milestone Jun 24, 2019
@koto koto added the spec label Jun 24, 2019
@mikesamuel

This comment has been minimized.

Copy link
Collaborator

@mikesamuel mikesamuel commented Jul 3, 2019

CSP allows multiple configurations per document.
Enforcement happens when there exists a configuration that requires enforcement.
Reporting happens for each configuration that requires reporting.

Might the simplest change be to

  1. Allow multiple TrustedTypeConfigurations per document.
  2. Change Obtain a Trusted Type Configuration for a response to return plural configurations
  3. Change algorithms like Create a Trusted Type Policy, Get Trusted Types compliant string, and the enforce and create a violation algos to iterate over configurations.

2 probably depends on issue #182.

@koto

This comment has been minimized.

Copy link
Member Author

@koto koto commented Jul 11, 2019

Let's hook the TTC to the Realm, not the document. This also addresses some of the vectors in #50 (such that all in-realm documents, e.g. ones from DOMParser will be bound to the same TTC).

@koto

This comment has been minimized.

Copy link
Member Author

@koto koto commented Jul 17, 2019

Closed via #191.

@koto koto closed this Jul 17, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.