search

mikewest / securer-contexts

Secure Contexts, but with _more_ secureness!
19 stars 2 forks source link

Thoughts on meaningful [SecureContext=Injection] #8

Closed shhnjk closed 2 months ago

shhnjk commented 2 years ago

I think we should add Strict CSP and Trusted Types to requirements of [SecureContext=Injection].

While Strict CSP can guarantee somewhat reasonable mitigation for XSS, it's hard to set guarantee on Trusted Types without a security reviewer.

For example, an easy way to enabled Trusted Types in existing site would be:

trustedTypes.createPolicy('default', {
  createHTML: x => x,
  createScript: x => x,
  createScriptURL: x => x,
});

Which doesn't increase security of the site.

Therefore, the only option I can think of is to require Perfect Types. However, this is practically difficult without Sanitizer API and/or TrustedTypes.fromLiteral for existing website (and might be impossible for sites that uses frameworks that creates TT policy).

On the other hand, if we remove Trusted Types requirement from [SecureContext=Injection], an attacker can easily abuse permission delegation and inherit permission from parent frame to an attacker's site. Therefore frame-src 'none' or 'self' should be required.

mikewest commented 2 years ago

Given current browser support, StrictCSP is the only thing we could require. I agree that that has limitations, and that Trusted Types would address many of them, but I don't see a path to any other consensus at the moment.

Regarding framing, I recognize the risk you're pointing to, but I don't think frame-src 'self' is a terribly deployable constraint in itself, and seems to be addressing a concern distinct from script injection. Getting folks to deploy a reasonable policy mitigating the most common forms of injection seems like enough of a win that I'd prefer to see that approach scale, rather than imposing a limitation most sites won't be able to accept.

shhnjk commented 2 years ago

If we decide to go with Strict CSP only, is there a possibility to expand to add Trusted Types in the future?

mikewest commented 2 years ago

If we decide to go with Strict CSP only, is there a possibility to expand to add Trusted Types in the future?

Not easily, as it would be a pretty substantial change to the requirement which would likely remove access to whatever we gate on this WebIDL attribute. In an ideal world, we'd have wider acceptance of something like Trusted Types at the time we shipped this new declaration. But again, I don't see a clear path forward given the respective positions of our colleagues at Mozilla and Apple.

mikewest commented 2 months ago

I'm archiving this repo, and moving the injection discussion to https://mikewest.github.io/injection-mitigated/.

I think this issue in particular is less-relevant given happenings in the intervening years, but if there's still something to discuss, file an issue there. :)