search

WICG / import-maps

How to control the behavior of JavaScript imports
https://html.spec.whatwg.org/multipage/webappapis.html#import-maps
Other
2.69k stars 70 forks source link

Evading script injection defenses #246

Closed martinthomson closed 2 years ago

martinthomson commented 3 years ago

Quoting the spec:

But there is no fundamentally new capability introduced here, that needs new consideration.

At a fundamental level, this is true, but there is a material difference here in that the script type might not be known. Use of an importmap might escape security processes that rely on evaluating whether scripts are known to be good.

Using <script> means that this code might need to be poorly written for this to be a problem. But it might mean that injection of an importmap is possible where injection of untyped or type=javascript is not.

Not a big deal, but maybe worth noting.

martinthomson commented 3 years ago

As I said, this isn't a big deal, but there is also a potential defense that might be employed. import "importmaps" or a similar sort of positive indicator that the script is aware of and wants to use importmaps would ensure that at least the system into which this is deployed accepts this risk.

domenic commented 2 years ago

I think I've incorporated new wording that explains this issue into the section you refer to:

  • Manual sanitization code (that doesn't rely on CSP for blocking injected scripts) will need to ensure it disallows <script type="importmap"> just like it already disallows <script>.

Let me know if I misunderstood the concern.