[Proposal] Trusted Types for DOM Manipulation


#1

TL;DR: Some folks on Google’s security team and I have sketched out https://github.com/mikewest/trusted-types. Feedback on the general notion would be very helpful.

DOM-based XSS attacks keep popping up on websites (and it’s only becoming a more common vector as folks discover gadgets in popular libraries). Internally, Google has had a good deal of success at combating this kind of problem with compile-time enforcement of a set of safe HTML types that allow security reviewers to concentrate their time on the places that generate strings meant for the DOM, rather than auditing each DOM manipulation.

Our goal here is to determine whether there’s something generic that we can extract from the various rule sets enforced internally.

The approach is quite vague at the moment, but breaks into three pieces:

  1. We’ll introduce a set of types that correspond to various DOM APIs that convert strings to DOM / URLs / etc. These types will auto-escape the characters that would be interesting in a given context, or allow explicit unsafe creation of an unescaped string.

  2. We’ll enumerate the DOM sinks we’re interested in protecting, and overload each with a variant that accepts a relevant type rather than a DOMString.

  3. We’ll give developers some mechanism to disable the DOMString variants to force themselves through the type system.

We’ve started prototyping what this might look like in Chrome, and plan to upstream tentative tests as we go (see https://github.com/w3c/web-platform-tests/pull/6457, for example). But central questions like layering with libraries and etc. are up in the air at the moment, so y’all’s input would be quite helpful.

Thanks!


#2

Based on interest from folks in Chrome and Mozilla, I’d like to move this proposal to a WICG repository. I’ll poke the chairs about doing so.


#3

Transferred in WICG: https://github.com/WICG/trusted-types.