Open DemiMarie opened 3 years ago
https://microsoftedge.github.io/edgevr/posts/eliminating-xss-with-trusted-types/ is a blog post about using it with trusted-types 'none'
. Element likely uses various libraries which would require making Trusted Types policies rather than using the safer 'none'
approach avoiding trust in sanitizers, etc. Using 'none'
is a good long-term goal. Requiring Trusted Types and making policies to make the current messy setup work is a realistic short term goal.
Trusted Types is the single most important defense against XSS for a static site like Element. It's also important to have script-src 'self'
and ideally style-src 'self'
but it's less impactful. That's just the beginning of providing a secure setup. There's a whole lot more to do with CSP and then protecting against side channel by properly setting up headers for cross-origin isolation.
Is your suggestion related to a problem? Please describe.
Element uses unsafe DOM manipulation which poses a risk of cross-site scripting and other attacks.
Describe the solution you'd like.
Remove the unsafe DOM manipulation and set
Content-Security-Policy: require-trusted-types-for 'script'; trusted-types 'none'
Describe alternatives you've considered.
None
Additional context