Summary: An API that allows applications to lock down powerful APIs to
only accept non-spoofable, typed values in place of strings to prevent
vulnerabilities caused by using these APIs with attacker-controlled
inputs. Basic use case:
// CSP: require-trusted-types-for 'script'
const myTrustedTypesPolicy = trustedTypes.createPolicy("myPolicy", {
createScript: value => myJSSanitizer(value)
});
let script = document.createElement("script");
script.text = unsafeCode; // blocked by CSP.
let trustedScript = myTrustedTypesPolicy.createScript(unsafeCode); //
create a Trusted Type wrapping the string returned by
myJSSanitizer(unsafeCode).
script.text = trustedScript; // not blocked by CSP.
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1508286,
https://bugzilla.mozilla.org/show_bug.cgi?id=1845360
Specification:
https://w3c.github.io/trusted-types/,
https://w3c.github.io/webappsec-csp/
https://html.spec.whatwg.org/, https://dom.spec.whatwg.org/
https://tc39.es/ecma262/
Standards Bodies: W3C, WhatWG, ECMA
Platform coverage: All platforms
Preference: dom.security.trusted_types.enabled
DevTools bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1935431
Link to standards-positions discussion:
https://github.com/mozilla/standards-positions/issues/20
Other browsers:
Blink: Shipped
WebKit: Shipped
web-platform-tests:
- trusted_types/
- script-src/script-src-trusted_types_*
- content-security-policy/reporting/report-clips-sample.https.html
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/d9850c71-db8c-4dc3-bc7b-5e77ee20fd7e%40igalia.com.
