kingthorin
commented
9 months ago FYI @zaproxy is now using this library :grinning: https://github.com/zaproxy/zap-extensions/pull/5231
Open kingthorin opened 9 months ago
kingthorin
commented
9 months ago FYI @zaproxy is now using this library :grinning: https://github.com/zaproxy/zap-extensions/pull/5231
It would be nice to have handling for: the
trusted-typestrusted-typesandrequire-trusted-types-forThis advice was provided pre-fork:
The process will be basically
define new
ValueValue kinds for new directive values which are more complex than just a boolean. At a glance, you probably want a special Value kind fortt-policy-name, but the others look like they can be handled as booleans on the directive.define new
DirectivesDirective kind for both new directives (trusted-typestrusted-types) and (require-trusted-types-foradd helpers to allow reading and writing their attributes, and ensure that updating keeps their internal
valuesfield up to date (by using theaddValueandremoveValueIgnoringCasehelpers, mainly)define new
ValueValue kinds for new directive values which are more complex than just a boolean. At a glance, you probably want a special Value kind fortt-policy-name, but the others look like they can be handled as booleans on the directive.define new
DirectivesDirective kind for both new directives ("trusted-types" and ("require-trusted-types-for")add helpers to allow reading and writing their attributes, and ensure that updating keeps their internal
valuesfield up to date (by using theaddValueandremoveValueIgnoringCasehelpers, mainly)update the parser to handle them
add tests
optionally add helpers for queries like
"Should Trusted Type policy creation be blocked by Content Security Policy?"Should Trusted Type policy creation be blocked by Content Security Policy?, though these aren't so important.update the parser to handle themThe main challenges in my experience is figuring out what the spec is trying to say and whether that's actually what browsers do. For example, it says the syntax is defined by an ABNF, which means keywords are case-insensitive ("ABNF strings are case insensitive"). So per spec,
'ALLow-DUPlicATES'is a legal way to write'allow-duplicates'. Is that actually intentional? Is that what browsers do? Gotta check. Similarly, are policy names case-sensitive or not? That affects the representation and especially the manipulation of those Values.