[Feature Request] Trusted Types support

[tosmolka]

Type of report

Feature request

Provide description of the new feature

CKEditor 4 should support Trusted Types API so that it can be seamlessly integrated into applications that enforce Trusted Types for all DOM XSS Injection Sinks (such as innerHTML setters) via CSP directive require-trusted-types-for. Trusted Types are now fully supported in major browsers such as Chrome or Edge.

To support Trusted Types we should identify all instances where CKeditor 4 calls such methods and propose re-factoring. We need to be careful to keep supporting browsers without Trusted Types support. This is usually done by testing whether window.trustedTypes is defined and fall-back to current behavior if it's not.

Initial list to consider:

• Here we could avoid calling Injection Sink methods altogether
  • https://github.com/ckeditor/ckeditor4/blob/e8aad56110b10efc8f43a1befd69baa3a5ebd356/plugins/entities/plugin.js#L83
  • https://github.com/ckeditor/ckeditor4/blob/05e2b1115beb0885a637adb81e7ed091b47a2d8c/core/dom/element.js#L577
  • https://github.com/ckeditor/ckeditor4/blob/05e2b1115beb0885a637adb81e7ed091b47a2d8c/plugins/undo/dev/snapshot.html#L56
  • https://github.com/ckeditor/ckeditor4/blob/05e2b1115beb0885a637adb81e7ed091b47a2d8c/plugins/undo/dev/snapshot.html#L62
  • https://github.com/ckeditor/ckeditor4/blob/05e2b1115beb0885a637adb81e7ed091b47a2d8c/core/skin.js#L265
  • https://github.com/ckeditor/ckeditor4/blob/05e2b1115beb0885a637adb81e7ed091b47a2d8c/plugins/sharedspace/plugin.js#L49
  • https://github.com/ckeditor/ckeditor4/blob/05e2b1115beb0885a637adb81e7ed091b47a2d8c/plugins/undo/dev/snapshot.html#L56
  • https://github.com/ckeditor/ckeditor4/blob/8d9239df44c7af7bf6bb78da0ad1a6cb394c78a3/dev/pastetools/getclipboard.html#L246
• Here we could leverage TrustedTypePolicyFactory.emptyHTML
  • https://github.com/ckeditor/ckeditor4/blob/05e2b1115beb0885a637adb81e7ed091b47a2d8c/core/dom/element.js#L550
• Here we probably need to create unique TrustedTypesPolicy for CKEditor 4 and wrap content using createHTML method prior assignment.
  • https://github.com/ckeditor/ckeditor4/blob/05e2b1115beb0885a637adb81e7ed091b47a2d8c/core/dom/element.js#L539
  • https://github.com/ckeditor/ckeditor4/blob/05e2b1115beb0885a637adb81e7ed091b47a2d8c/core/dom/element.js#L543
  • https://github.com/ckeditor/ckeditor4/blob/05e2b1115beb0885a637adb81e7ed091b47a2d8c/core/dom/element.js#L553
• Here we probably need to wrap with createScriptURL
  • https://github.com/ckeditor/ckeditor4/blob/05e2b1115beb0885a637adb81e7ed091b47a2d8c/core/scriptloader.js#L119

In our app we would benefit even from early partial support of Trusted Types as we don't use all the features. Most of the violations in our use app are generated from core/dom/element.js, core/scriptloader.js and plugins/entities/plugin.js.

References

• Similar feature request in CKEditor 5
• Trusted Types spec
• CSP directive require-trusted-types-for

Similar implementations in other libraries:

• Visual Studio Code
• Webpack
• Angular

[Comandeer]

Trusted Types are now fully supported in major browsers such as Chrome or Edge.

It seems that it's supported only in Chromium-based browsers at the moment, according to MDN.

As CKEditor 4 supports many other browsers, including Internet Explorer, we'd need to have two separate flows (one with TT and one without them) and/or refactor calls to innerHTML in the whole codebase. Sounds like a really big effort yet still worth some research.

[eozmen410]

Hi CKEditor4 maintainers! We are currently working on making popular OSS libraries Trusted Types compatible in efforts to increase Trusted Types adoption and make the JS ecosystem safer. Since you already have an open FR for this, we would like to contribute PRs to add TT support for CKEditor 4.

We've done some pre-work gathering the violations across the codebase, and we're starting with #5506 to add the tooling, we will follow up with fixes for Trusted Types violations.