• Mozilla plans to implement Trusted Types in Firefox to reduce web attacks relying on injected code.

• Trusted Types has been successful in preventing DOM-based XSS on popular websites.

• As more websites adopt Trusted Types, XSS attacks are expected to become less common.

  • DacoTaco
    link
    fedilink
    English
    33
    edit-2
    11 months ago

    I had no idea trusted types existed, and took a while to realise the w3 docs was confusing as hell.
    But mozilla to the rescue : https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API

    So it boils down to a javascript api to santize a string before using it in a plathora of javascript functions that interact with the DOM. Neat, but if the developer has to make the policy themselves i dont see the added bonus to this. XSS seems to be still possible if the policy is made incorrectly?

    Edit : or am i reading the example wrong and the developer defined code is on top of whatever the api does with the string? I also dont understand why the browsers implementation of innerHtml couldnt just automatically apply whatever that policy does…