search

brave / brave-browser

Brave browser for Android, iOS, Linux, macOS, Windows.
https://brave.com
Mozilla Public License 2.0
18k stars 2.36k forks source link

Enable Trusted Types #11845

Open diracdeltas opened 4 years ago

diracdeltas commented 4 years ago

See https://gist.github.com/shhnjk/a44b13dfdbd83c79bd1e2c1b08508f9d for context.

We should enable Trusted Types by default in WebUI pages and exclude any pages that don't support it yet with DisableTrustedTypesCSP (https://source.chromium.org/chromium/chromium/src/+/master:content/browser/webui/web_ui_data_source_impl.cc;l=203;drc=2e4a49088b18eee415d8c530dc9b49fd56b33d0c). This will give us parity with Chrome 87: https://bugs.chromium.org/p/chromium/issues/detail?id=41905

Upstream pages that don't yet support trusted types:

Note that as of #11642, src/braveno longer contains any direct calls to innerHTML or dangerouslySetInnerHTML

diracdeltas commented 4 years ago

@mariospr do you have any tips on how to do this?

mariospr commented 4 years ago

Actually, there's nothing to do for now I think :-) If I'm understanding things right, your PRs from https://github.com/brave/brave-core/pull/6646 and https://github.com/brave/brave-core/pull/6669 removed all traces of insecure assignments to innerHTML in the master branch, which is based on Chromium 86 at the moment.

However, as reported in https://github.com/brave/brave-browser/issues/11642, this started being a problem for Brave when based on Chromium 87, where I needed to add the "Disable Trusted Types mitigation on Brave's Welcome & Rewards pages" patch to make the rewards pages work again. But since your PRs are already in master, and unless there's some other unsafe cases still left in Brave's WebUI pages, we should be able to simply drop that patch I added from the cr87 branch the next time we rebase it on top of the master branch, and things should continue to work.

I'll keep this issue open in a tab and will report here once we do such rebase on master and check whether that patch can actually go away for real now.

Thanks!!

//cc @mkarolin

https://github.com/brave/brave-browser/issues/11642

diracdeltas commented 4 years ago

awesome, thanks! closing for now

diracdeltas commented 4 years ago

Re-opening this since there are still some Brave-specific pages that don't work with Trusted Types. (due to Polymer)

https://github.com/brave/brave-core/pull/6554#discussion_r510293731