Open tosmolka opened 2 years ago
Trusted Types are now fully supported in major browsers such as Chrome or Edge.
It seems that it's supported only in Chromium-based browsers at the moment, according to MDN.
As CKEditor 4 supports many other browsers, including Internet Explorer, we'd need to have two separate flows (one with TT and one without them) and/or refactor calls to innerHTML
in the whole codebase. Sounds like a really big effort yet still worth some research.
Hi CKEditor4 maintainers! We are currently working on making popular OSS libraries Trusted Types compatible in efforts to increase Trusted Types adoption and make the JS ecosystem safer. Since you already have an open FR for this, we would like to contribute PRs to add TT support for CKEditor 4.
We've done some pre-work gathering the violations across the codebase, and we're starting with #5506 to add the tooling, we will follow up with fixes for Trusted Types violations.
Type of report
Feature request
Provide description of the new feature
CKEditor 4 should support Trusted Types API so that it can be seamlessly integrated into applications that enforce Trusted Types for all DOM XSS Injection Sinks (such as innerHTML setters) via CSP directive require-trusted-types-for. Trusted Types are now fully supported in major browsers such as Chrome or Edge.
To support Trusted Types we should identify all instances where CKeditor 4 calls such methods and propose re-factoring. We need to be careful to keep supporting browsers without Trusted Types support. This is usually done by testing whether window.trustedTypes is defined and fall-back to current behavior if it's not.
Initial list to consider:
In our app we would benefit even from early partial support of Trusted Types as we don't use all the features. Most of the violations in our use app are generated from
core/dom/element.js
,core/scriptloader.js
andplugins/entities/plugin.js
.References
Similar implementations in other libraries: