Closed brandonmcconnell closed 2 years ago
Can you elaborate on what you mean by XSS blocking? The polyfill does use eval, yes. While this is certainly less secure than the browser implementations of Paint Worklet, the increase in surface area is the same: CSS Custom Paint makes it possible for CSS to trigger JavaScript execution via paint()
, but only when a given Paint Worklet has been registered, which requires scripting access in the first place.
@developit Thanks for your response. I'm working on something related to Paint now.
So in other words, using eval()
is no less secure than using the native Houdini paint()
itself— is that correct? I'm not trying to aggravate, just level-setting. I'm rather new to Houdini in general.
I wouldn't say it's as secure as the browser implementation, no. The eval usage here is part of a simple sandboxed environment where Paint Worklet code runs. In the browser implementation, that is done using a separate realm that makes it impossible for Paint Worklet code to access the document or global scope of a web page. In the polyfill, a malicious Paint Worklet could easily break out of this sandbox.
The security implications of this depend on how you use Paint Worklets. If you only ever load Worklets your have authored or installed and load them from your own domain, there isn't really an increased security risk associated with the polyfill's use of eval(). However, if you were to load remote Paint Worklets, these could bypass the polyfill's sandbox and access your page.
So, if you are able to trust the code/url you're passing to CSS.paintWorklets.addModule(), the risk is probably tolerable. If you can't trust that code, even without the polyfill present, it's likely too high risk.
@developit Thanks for clarifying! That answers my question.
Will this polyfill work reliably in sites/environments which block XSS. I see the script creates and uses an
eval()
which I am thinking might get flagged and blocked by one of these XSS blockers.