this post was submitted on 22 Dec 2023
153 points (97.5% liked)

Technology

58757 readers
4345 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
153
Mozilla decides Trusted Types is a worthy security feature (www.theregister.com)
submitted 10 months ago by [email protected] to c/[email protected]
3 comments fedilink hide all child comments
 

• Mozilla plans to implement Trusted Types in Firefox to reduce web attacks relying on injected code.

• Trusted Types has been successful in preventing DOM-based XSS on popular websites.

• As more websites adopt Trusted Types, XSS attacks are expected to become less common.

top 3 comments
sorted by: hot top controversial new old
[–] [email protected] 33 points 10 months ago* (last edited 10 months ago)

I had no idea trusted types existed, and took a while to realise the w3 docs was confusing as hell.
But mozilla to the rescue : https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API

So it boils down to a javascript api to santize a string before using it in a plathora of javascript functions that interact with the DOM. Neat, but if the developer has to make the policy themselves i dont see the added bonus to this. XSS seems to be still possible if the policy is made incorrectly?

Edit : or am i reading the example wrong and the developer defined code is on top of whatever the api does with the string? I also dont understand why the browsers implementation of innerHtml couldnt just automatically apply whatever that policy does...

[–] [email protected] 17 points 10 months ago (1 children)

For those looking for Mozilla's back and forth on this since 2017.

[–] [email protected] 1 points 10 months ago

Not much of a surprise given how they removed GTK theming from thunderbird and maybe Firefox