search

w3c / trusted-types

A browser API to prevent DOM-Based Cross Site Scripting in modern web applications.
https://w3c.github.io/trusted-types/dist/spec/
Other
586 stars 68 forks source link

Seeking Trusted Types feedback on Array.isTemplateObject #519

Open littledan opened 4 weeks ago

littledan commented 4 weeks ago

TC39 recently discussed Array.isTemplateObject, a feature to enable TT to allow literal HTML/JS strings. See the notes at https://github.com/tc39/notes/blob/main/meetings/2024-04/april-10.md#arrayistemplateobject-next-steps

The committee wanted to ask the Trusted Types experts: Do you have a preference for same-realm vs cross-realm brand checks? This question means: when you have multiple same-origin iframes, should Array.isTemplateObject guard against cross-realm template objects and return false for them?

My impression is that this question shouldn't matter for expected TT use cases, and either option should work. The normal case is that you apply the tag directly to the template, so you're not crossing template boundaries. The test we're doing is for literal-ness, not isolation context (ShadowRealms and cross-origin iframes are already isolated in different ways, which doesn't permit objects including templates to be shared at all).

My understanding is that the realm-specific query was difficult to implement in past attempts, but might be possible to do. The cross-realm check is simpler to specify and implement.

What would you prefer? Once I have an answer from this group, I'll bring it back to TC39 and propose it for Stage 2.7.

lukewarlow commented 4 weeks ago

@koto you're probably best placed to answer this concretely.

My understanding is that for TT we don't care about realms. The threat model for TT is untrusted strings being used in "harmless" code. If someone manages to get to a realm with unprotected eval and fake mint a literal string well that's outside the threat model that TT protects against (relies on malicious code already executing on the page).

Cc @annevk too

koto commented 4 weeks ago

That is correct, the realms don't matter much for the Trusted Types use case; to be more specific, if Array.isTemplateTag returns true for templates from another realm, it's fine for TT.

annevk commented 4 weeks ago

Reading the TC39 discussion the underlying assumption here is that template objects will never participate in serialize-deserialize? Is that enshrined somehow?

littledan commented 4 weeks ago

@annevk This is a good point; what if this is enshrined with a note in both the Array.isTemplateObject description and the serialize-deserialize spec, which says "the template-object-ness is not currently serialized/deserialized; please consider TT implications if you ever do that"?

annevk commented 3 weeks ago

Currently it would become a plain Array, right? I think adding asserts in serialize-deserialize, possibly with a note, would suffice.