search

GoogleChromeLabs / css-paint-polyfill

CSS Custom Paint / Paint Worklet polyfill with special browser optimizations.
https://googlechromelabs.github.io/css-paint-polyfill/
Apache License 2.0
735 stars 21 forks source link

Reliable to use on XSS-disabled sites? #23

Closed brandonmcconnell closed 2 years ago

brandonmcconnell commented 3 years ago

Will this polyfill work reliably in sites/environments which block XSS. I see the script creates and uses an eval() which I am thinking might get flagged and blocked by one of these XSS blockers.

developit commented 3 years ago

Can you elaborate on what you mean by XSS blocking? The polyfill does use eval, yes. While this is certainly less secure than the browser implementations of Paint Worklet, the increase in surface area is the same: CSS Custom Paint makes it possible for CSS to trigger JavaScript execution via paint(), but only when a given Paint Worklet has been registered, which requires scripting access in the first place.

brandonmcconnell commented 3 years ago

@developit Thanks for your response. I'm working on something related to Paint now.

So in other words, using eval() is no less secure than using the native Houdini paint() itself— is that correct? I'm not trying to aggravate, just level-setting. I'm rather new to Houdini in general.

developit commented 3 years ago

I wouldn't say it's as secure as the browser implementation, no. The eval usage here is part of a simple sandboxed environment where Paint Worklet code runs. In the browser implementation, that is done using a separate realm that makes it impossible for Paint Worklet code to access the document or global scope of a web page. In the polyfill, a malicious Paint Worklet could easily break out of this sandbox.

The security implications of this depend on how you use Paint Worklets. If you only ever load Worklets your have authored or installed and load them from your own domain, there isn't really an increased security risk associated with the polyfill's use of eval(). However, if you were to load remote Paint Worklets, these could bypass the polyfill's sandbox and access your page.

So, if you are able to trust the code/url you're passing to CSS.paintWorklets.addModule(), the risk is probably tolerable. If you can't trust that code, even without the polyfill present, it's likely too high risk.

brandonmcconnell commented 2 years ago

@developit Thanks for clarifying! That answers my question.