element-hq / element-web

A glossy Matrix collaboration client for the web.
https://element.io
GNU Affero General Public License v3.0
11.26k stars 2.01k forks source link

require-trusted-types-for 'script'; trusted-types 'none' #17701

Open DemiMarie opened 3 years ago

DemiMarie commented 3 years ago

Is your suggestion related to a problem? Please describe.

Element uses unsafe DOM manipulation which poses a risk of cross-site scripting and other attacks.

Describe the solution you'd like.

Remove the unsafe DOM manipulation and set Content-Security-Policy: require-trusted-types-for 'script'; trusted-types 'none'

Describe alternatives you've considered.

None

Additional context

thestinger commented 3 years ago

https://microsoftedge.github.io/edgevr/posts/eliminating-xss-with-trusted-types/ is a blog post about using it with trusted-types 'none'. Element likely uses various libraries which would require making Trusted Types policies rather than using the safer 'none' approach avoiding trust in sanitizers, etc. Using 'none' is a good long-term goal. Requiring Trusted Types and making policies to make the current messy setup work is a realistic short term goal.

Trusted Types is the single most important defense against XSS for a static site like Element. It's also important to have script-src 'self' and ideally style-src 'self' but it's less impactful. That's just the beginning of providing a secure setup. There's a whole lot more to do with CSP and then protecting against side channel by properly setting up headers for cross-origin isolation.