Skip to content

Commit db82179

Browse files
kotokoto
authored
Added security consideration section about navigating plugins (#265)
1 parent bcd3c1b commit db82179

File tree

2 files changed

+33
-7
lines changed

2 files changed

+33
-7
lines changed

dist/spec/index.html

Lines changed: 18 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1214,7 +1214,7 @@
12141214
</style>
12151215
<meta content="Bikeshed version 53d2305928d30790ebcc3b8ea611fb0709647013" name="generator">
12161216
<link href="https://w3c.github.io/webappsec-trusted-types/dist/spec/" rel="canonical">
1217-
<meta content="cddc9e0a32cbf29e1efcff2ba5f85fe8a394ea3d" name="document-revision">
1217+
<meta content="4ef7905f726449562b10edda414903fa301b0e3c" name="document-revision">
12181218
<style>/* style-md-lists */
12191219

12201220
/* This is a weird hack for me not yet following the commonmark spec
@@ -1461,7 +1461,7 @@
14611461
<div class="head">
14621462
<p data-fill-with="logo"><a class="logo" href="https://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2016/logos/W3C" width="72"> </a> </p>
14631463
<h1 class="p-name no-ref" id="title">Trusted Types</h1>
1464-
<h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="2020-03-05">5 March 2020</time></span></h2>
1464+
<h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="2020-03-06">6 March 2020</time></span></h2>
14651465
<div data-fill-with="spec-metadata">
14661466
<dl>
14671467
<dt>This version:
@@ -1599,7 +1599,8 @@ <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
15991599
<ol class="toc">
16001600
<li><a href="#cross-document-vectors"><span class="secno">5.1</span> <span class="content">Cross-document vectors</span></a>
16011601
<li><a href="#deprecated-features"><span class="secno">5.2</span> <span class="content">Deprecated features</span></a>
1602-
<li><a href="#best-practices-for-policy-design"><span class="secno">5.3</span> <span class="content">Best practices for policy design</span></a>
1602+
<li><a href="#plugins"><span class="secno">5.3</span> <span class="content">Plugin navigation</span></a>
1603+
<li><a href="#best-practices-for-policy-design"><span class="secno">5.4</span> <span class="content">Best practices for policy design</span></a>
16031604
</ol>
16041605
<li>
16051606
<a href="#implementation-considerations"><span class="secno">6</span> <span class="content">Implementation Considerations</span></a>
@@ -3338,7 +3339,16 @@ <h3 class="heading settled" data-level="5.2" id="deprecated-features"><span clas
33383339
<li data-md>
33393340
<p><a href="https://w3c.github.io/webcomponents/spec/imports/">HTML imports</a></p>
33403341
</ul>
3341-
<h3 class="heading settled" data-level="5.3" id="best-practices-for-policy-design"><span class="secno">5.3. </span><span class="content">Best practices for policy design</span><a class="self-link" href="#best-practices-for-policy-design"></a></h3>
3342+
<h3 class="heading settled" data-level="5.3" id="plugins"><span class="secno">5.3. </span><span class="content">Plugin navigation</span><a class="self-link" href="#plugins"></a></h3>
3343+
<p>Plugin content may have access to the document that embeds it (or; more broadly,
3344+
to the origin it was served from), often giving it the same capabilities
3345+
as DOM XSS. That’s why Trusted Types limit <code class="idl"><a data-link-type="idl">HTMLObjectElement.src</a></code> to <code class="idl"><a data-link-type="idl" href="#trustedscripturl" id="ref-for-trustedscripturl①②">TrustedScriptURL</a></code>.</p>
3346+
<p>However, it is also possible to navigate an existing object / embed to an
3347+
arbitrary location, bypassing the <code class="idl"><a data-link-type="idl" href="#trustedscripturl" id="ref-for-trustedscripturl①③">TrustedScriptURL</a></code> restriction.</p>
3348+
<p>Since plugin content in the web in general is being phased out for other
3349+
security reasons, and their navigation model is in flux, we recommend authors
3350+
to prevent that bypass vector by limiting the plugins altogether with <a data-link-type="dfn" href="https://w3c.github.io/webappsec-csp/#object-src" id="ref-for-object-src">object-src</a>. For example: <code>Content-Security-Policy: object-src: none</code>.</p>
3351+
<h3 class="heading settled" data-level="5.4" id="best-practices-for-policy-design"><span class="secno">5.4. </span><span class="content">Best practices for policy design</span><a class="self-link" href="#best-practices-for-policy-design"></a></h3>
33423352
<p>Trusted Types limit the scope of the code that can introduce
33433353
vulnerabilities via <a data-link-type="dfn" href="#injection-sink" id="ref-for-injection-sink②⑦">injection sinks</a> to the implementation of <a data-link-type="dfn" href="#policies" id="ref-for-policies⑥">policies</a>.
33443354
In this design, insecure policies can still expose <a data-link-type="dfn" href="#injection-sink" id="ref-for-injection-sink②⑧">injection sinks</a> to untrusted data.
@@ -4160,7 +4170,7 @@ <h2 class="no-num no-ref heading settled" id="idl-index"><span class="content">I
41604170
<c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①⓪①"><c- b>DOMString</c-></a> <a data-readonly data-type="DOMString" href="#dom-trustedtypepolicy-name"><code><c- g>name</c-></code></a>;
41614171
<a class="n" data-link-type="idl-name" href="#trustedhtml" id="ref-for-trustedhtml⑤①"><c- n>TrustedHTML</c-></a> <a class="idl-code" data-link-type="method" href="#dom-trustedtypepolicy-createhtml" id="ref-for-dom-trustedtypepolicy-createhtml②"><c- g>createHTML</c-></a>(<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①①①"><c- b>DOMString</c-></a> <a href="#dom-trustedtypepolicy-createhtml-input-arguments-input"><code><c- g>input</c-></code></a>, <c- b>any</c->... <a href="#dom-trustedtypepolicy-createhtml-input-arguments-arguments"><code><c- g>arguments</c-></code></a>);
41624172
<a class="n" data-link-type="idl-name" href="#trustedscript" id="ref-for-trustedscript④①"><c- n>TrustedScript</c-></a> <a class="idl-code" data-link-type="method" href="#dom-trustedtypepolicy-createscript" id="ref-for-dom-trustedtypepolicy-createscript②"><c- g>createScript</c-></a>(<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①②①"><c- b>DOMString</c-></a> <a href="#dom-trustedtypepolicy-createscript-input-arguments-input"><code><c- g>input</c-></code></a>, <c- b>any</c->... <a href="#dom-trustedtypepolicy-createscript-input-arguments-arguments"><code><c- g>arguments</c-></code></a>);
4163-
<a class="n" data-link-type="idl-name" href="#trustedscripturl" id="ref-for-trustedscripturl①"><c- n>TrustedScriptURL</c-></a> <a class="idl-code" data-link-type="method" href="#dom-trustedtypepolicy-createscripturl" id="ref-for-dom-trustedtypepolicy-createscripturl②"><c- g>createScriptURL</c-></a>(<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①③①"><c- b>DOMString</c-></a> <a href="#dom-trustedtypepolicy-createscripturl-input-arguments-input"><code><c- g>input</c-></code></a>, <c- b>any</c->... <a href="#dom-trustedtypepolicy-createscripturl-input-arguments-arguments"><code><c- g>arguments</c-></code></a>);
4173+
<a class="n" data-link-type="idl-name" href="#trustedscripturl" id="ref-for-trustedscripturl①"><c- n>TrustedScriptURL</c-></a> <a class="idl-code" data-link-type="method" href="#dom-trustedtypepolicy-createscripturl" id="ref-for-dom-trustedtypepolicy-createscripturl②"><c- g>createScriptURL</c-></a>(<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①③①"><c- b>DOMString</c-></a> <a href="#dom-trustedtypepolicy-createscripturl-input-arguments-input"><code><c- g>input</c-></code></a>, <c- b>any</c->... <a href="#dom-trustedtypepolicy-createscripturl-input-arguments-arguments"><code><c- g>arguments</c-></code></a>);
41644174
};
41654175

41664176
<c- b>dictionary</c-> <a href="#dictdef-trustedtypepolicyoptions"><code><c- g>TrustedTypePolicyOptions</c-></code></a> {
@@ -4287,7 +4297,7 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
42874297
<li><a href="#ref-for-injection-sink②③">4.5.2. trusted-types directive</a> <a href="#ref-for-injection-sink②④">(2)</a>
42884298
<li><a href="#ref-for-injection-sink②⑤">4.5.3. Should sink type mismatch violation be blocked by Content Security Policy?</a>
42894299
<li><a href="#ref-for-injection-sink②⑥">5. Security Considerations</a>
4290-
<li><a href="#ref-for-injection-sink②⑦">5.3. Best practices for policy design</a> <a href="#ref-for-injection-sink②⑧">(2)</a>
4300+
<li><a href="#ref-for-injection-sink②⑦">5.4. Best practices for policy design</a> <a href="#ref-for-injection-sink②⑧">(2)</a>
42914301
<li><a href="#ref-for-injection-sink②⑨">6.1. Vendor-specific Extensions and Addons</a>
42924302
</ul>
42934303
</aside>
@@ -4340,6 +4350,7 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
43404350
<li><a href="#ref-for-trustedscripturl⑦">4.1.3.2. Setting slot values</a>
43414351
<li><a href="#ref-for-trustedscripturl⑧">4.1.4. Enforcement in element attributes</a> <a href="#ref-for-trustedscripturl⑨">(2)</a> <a href="#ref-for-trustedscripturl①⓪">(3)</a>
43424352
<li><a href="#ref-for-trustedscripturl①①">4.2. Integration with SVG</a>
4353+
<li><a href="#ref-for-trustedscripturl①②">5.3. Plugin navigation</a> <a href="#ref-for-trustedscripturl①③">(2)</a>
43434354
</ul>
43444355
</aside>
43454356
<aside class="dfn-panel" data-for="policies">
@@ -4351,7 +4362,7 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
43514362
<li><a href="#ref-for-policies③">2.4. Enforcement</a>
43524363
<li><a href="#ref-for-policies④">2.4.1. Content Security Policy</a>
43534364
<li><a href="#ref-for-policies⑤">4.5.2. trusted-types directive</a>
4354-
<li><a href="#ref-for-policies⑥">5.3. Best practices for policy design</a>
4365+
<li><a href="#ref-for-policies⑥">5.4. Best practices for policy design</a>
43554366
</ul>
43564367
</aside>
43574368
<aside class="dfn-panel" data-for="trustedtypepolicyfactory">

spec/index.bs

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1886,6 +1886,21 @@ restrictions:
18861886

18871887
* <a href="https://w3c.github.io/webcomponents/spec/imports/">HTML imports</a>
18881888

1889+
## Plugin navigation ## {#plugins}
1890+
1891+
Plugin content may have access to the document that embeds it (or; more broadly,
1892+
to the origin it was served from), often giving it the same capabilities
1893+
as DOM XSS. That's why Trusted Types limit {{HTMLObjectElement.src}} to
1894+
{{TrustedScriptURL}}.
1895+
1896+
However, it is also possible to navigate an existing object / embed to an
1897+
arbitrary location, bypassing the {{TrustedScriptURL}} restriction.
1898+
1899+
Since plugin content in the web in general is being phased out for other
1900+
security reasons, and their navigation model is in flux, we recommend authors
1901+
to prevent that bypass vector by limiting the plugins altogether with
1902+
[=object-src=]. For example: `Content-Security-Policy: object-src: none`.
1903+
18891904
## Best practices for policy design ## {#best-practices-for-policy-design}
18901905

18911906
Trusted Types limit the scope of the code that can introduce

0 commit comments

Comments
 (0)