diff --git a/src/content/docs/guides/policy-diff.md b/src/content/docs/guides/policy-diff.md index 3b9feb6..96e1b04 100644 --- a/src/content/docs/guides/policy-diff.md +++ b/src/content/docs/guides/policy-diff.md @@ -70,16 +70,20 @@ A more advanced review would be to apply [Principle of Least Authority][PoLA] an Examples of powerful APIs - not an exhaustive list: -| global | builtin | description | -| ----------------------------------------------------- | ------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- | -| | `child_process` and any form of `exec` or `spawn` | Allows running arbitrary commands on the host machine and is not covered | -| | `fs` | Allows reading and writing files on the host machine | -| `fetch`, `XMLHttpRequest`, `WebSocket`, `EventSource` | `http`, `https`, `net` | Allows making network requests | -| `document` | | contains a lot of powerful APIs that can be used to manipulate the DOM, including creating iframes with unprotected globals | -| `open` | | `window.open` allows opening new windows/tabs and accessing clean globals there | -| `navigator` | | contains a lot of powerful APIs that can be used to fingerprint the user or control the browser | -| `chrome` or `browser` | | extension APIs - should only be accessed by a package that is a helper library for cross-browser extensions | -| `process` | | Allows reading and writing environment variables and other process-related operations | -| | `vm` | Allows running arbitrary code in a new context | +| global | builtin | description | +| ----------------------------------------------------- | ------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- | +| | `child_process` and any form of `exec` or `spawn` | Allows running arbitrary commands on the host machine and is not covered | +| | `fs` | Allows reading and writing files on the host machine | +| `fetch`, `XMLHttpRequest`, `WebSocket`, `EventSource` | `http`, `https`, `net` | Allows making network requests | +| `document` | | contains a lot of powerful APIs that can be used to manipulate the DOM, including creating iframes with unprotected globals | +| `open` | | `window.open` allows opening new windows/tabs and accessing clean globals there | +| `navigator` | | contains a lot of powerful APIs that can be used to fingerprint the user or control the browser | +| `chrome` or `browser` | | extension APIs - should only be accessed by a package that is a helper library for cross-browser extensions | +| `process` | | Allows reading and writing environment variables and other process-related operations | +| | `vm` | Allows running arbitrary code in a new context | +| `document.querySelector`, `document.createElement`, etc| | Grants access to powerful context related objects such as `document` and `window` (aka globalThis) via properties such as `ownerDocument` or `defaultView` which are exposed by DOM nodes (which are the type of return values of such APIs) | +| `Document.prototype`, `Node.prototype`, etc | | Redefining methods of these prototypes may allow attackers to hijack these at runtime when are being used by innocent code elsewhere | +| `addEventListener` | | Events leak powerful objects such as DOM nodes, `document` and `window` - such API may grant attackers access to such events. Also, listening to the `message` event specifically may allow attackers to intercept sensitive messages being sent across the app | +| `location` | | A powerful API that may allow attackers change the location of the app which may result in phishing attempts | [PoLA]: https://en.wikipedia.org/wiki/Principle_of_least_privilege