Open Bug 1916957 Opened 1 year ago Updated 7 months ago

Implement Trusted Types support for all remaining injection sinks for Windows (not Workers)

Categories

(Core :: DOM: Security, task)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

People

(Reporter: mbrodesser, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog])

Severity: -- → N/A
Whiteboard: [domsecurity-backlog]
Depends on: 1925468
Depends on: 1928318
Depends on: 1928932
Depends on: 1928990
Depends on: 1928991
Depends on: 1906650, 1913077, 1914372
No longer depends on: 1928990, 1928991
Depends on: 1928991
Depends on: 1928990

Status update

  • Work is done for Element.insertAdjacentHTML and Element.innerHTML using a specialized implementations of "Get Trusted Type policy value" and "Get Trusted Type compliant string" (trustedTypeName/TrustedType/expectedType are always assumed to be TrustedHTML and the the global object to be a Window).
  • Uploaded patches make the code work with other type than TrustedHTML and to also implemented "Get Trusted Types-compliant attribute value".
  • These patches implement support for the sinks corresponding to the information provided by getAttributeType/getPropertyType: HTMLScriptElement's src/innerText/textContent/text IDL attributes, Element's outerHTML IDL attribute, Element's setAttribute/setAttributeNS.
  • Advanced enforcement for scripts has not been implemented for now.

Patch stack

  • D227943: Bug 1925468 - Implement Trusted Type support for setAttribute/setAttributeNS.
  • D227926: Bug 1925468 - Factor out "Get Trusted Type Data For Attribute".
  • D227830: Bug 1928990 - Implement Trusted Types support for iframe srcdoc IDL attribute.
  • D227827: Bug 1928991 - Implement Trusted Types support for outerHTML IDL attribute.
  • D227513: Bug 1905706 - Trusted Types support for the src/innerText/textContent/text IDL attributes of HTMLScriptElement.
  • D227505: Bug 1928318 - Make GetTrustedTypesCompliantString accept a variant of "trusted type or string" values.
  • D227479: Bug 1928318 - Make ProcessValueWithADefaultPolicy handle any trusted type.
  • D227457: Bug 1928318 - Introduce TrustedType and GetTrustedTypeName().

Try server: https://treeherder.mozilla.org/jobs?repo=try&revision=7c184a5b984949218e85442ef5850c942f371a3a

Depends on: 1931272
Depends on: 1931276
Depends on: 1931284
Depends on: 1931288
Depends on: 1931290
Depends on: 1931295
Depends on: 1934221
Depends on: 1931282
Depends on: 1913339
See Also: → 1903717
Depends on: 1940044
Depends on: 1940049
Depends on: 1941005

MDN docs work for this and other parts of the API in FF135 (ish) can be tracked in https://github.com/mdn/content/issues/37518

@fredw, last time we asked the API was untestable. Is that still the case? If so, can you outline what has been done? So far I have this list https://pr37926.content.dev.mdn.mozit.cloud/en-US/docs/Mozilla/Firefox/Experimental_features#trusted_types_api

I know I need to add the TrustedTypes to that list to (such as TrustedHtml) but wanted to get broad confirmation from you on what interfaces and sinks have testable implementations. If it is still too early we can wait - but we'll have to list everything supported at some point and updated compatibility data.

Flags: needinfo?(fbraun)

I think you want to look at Trusted Types when bug 1939805 has been resolved. The individual pieces don't make a lot of sense on their own

Flags: needinfo?(fbraun)
You need to log in before you can comment on or make changes to this bug.