[whatwg/dom] Trusted Types integration (#789) from Krzysztof Kotowicz on 2019-10-11 (public-webapps-github@w3.org from October 2019)

From: Krzysztof Kotowicz <notifications@github.com>
Date: Fri, 11 Oct 2019 09:45:46 -0700
To: whatwg/dom <dom@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/dom/issues/789@github.com>
We've outlined what we think would be the HTML integration points needed for [Trusted Types](https://w3c.github.io/webappsec-trusted-types/dist/spec/). This accompanies [HTML#3052](https://github.com/whatwg/html/issues/3052) describing the integration with HTML.

## Approaches
The current draft spec implements the TT checks at the DOM sinks (JS functions) layer, and then discards the type information, such that TT become invisible to most other Web APIs and algorithms. The upside is that TT are simpler to spec & implement, the downside is that the future sinks might be introduced that skip the TT logic, and re-introduce DOM XSS-proneness. Or that we might have missed some existing algorithms that would bypass TT already. There's also a few of bypasses that require some additional custom protections (e.g. [this](https://w3c.github.io/webappsec-trusted-types/dist/spec/#enforcement-in-script-text)). Let's call that **tt-at-sinks approach**.

@annevk [proposed](https://github.com/w3c/webappsec-trusted-types/issues/176) an alternative approach - to keep the type information intact such that it can be verified by the algorithms running later on (e.g. when script is to be prepared, check that its URL was a [`TrustedScriptURL`](https://w3c.github.io/webappsec-trusted-types/dist/spec/#trused-script-url). Let's call that **tt-at-primitives approach**.

## TT-at-sinks 
* [Add text node validation steps](https://w3c.github.io/webappsec-trusted-types/dist/spec/#dom-text-node-validation) to the [insert](https://dom.spec.whatwg.org/#concept-node-insert) algorithm.
Note: Perhaps this needs to be changed - the checks might be problematic in step 7 of [node insert](https://dom.spec.whatwg.org/#concept-node-insert) as they can partially fail, and then step 8 doesn't run. Perhaps hook after insertion but pre execution.

* Changes to `Element.setAttribute*`. That's to add TT checks for IDL attributes that reflect content attributes with those checks. Currently only explained as a [note](https://w3c.github.io/webappsec-trusted-types/dist/spec/#!trustedtypes-extended-attribute). This needs some work, but in general the approach is to perform the checks (via relevant global object) that ascertain that TT type checks are performed based, determining the right type for (context object, qualified name) pair. These callouts may be added to [set an attribute value](https://dom.spec.whatwg.org/#concept-element-attributes-set-value) algorithm.

* Changes to [set an attribute](https://dom.spec.whatwg.org/#concept-element-attributes-set). Callout to TT when the (element, attr qualified name) needs types (e.g. for `iframe.srcdoc`). The TT checks will attempt to call the [default policy](https://w3c.github.io/webappsec-trusted-types/dist/spec/#default-policy-hdr) on the attribute value, and might abort the algorithm, or change the attr value. 

* Changes to `Attr` value setter; do the TT checks when setting a value of the attribute on an element, if (element + attr name) pair requires TT checks. Callout to TT checks can be implemented either in [set an existing attribute value](https://dom.spec.whatwg.org/#set-an-existing-attribute-value), or in [change an attribute from an element](https://dom.spec.whatwg.org/#concept-element-attributes-change) algorithm. The latter might make the changes to set an attribute above unneccessary.
 
## TT-at-primitives 
The changes required in DOM for this approach would be:

* Add type metadata to [Attr](https://dom.spec.whatwg.org/#interface-attr) and Text nodes. (e.g. allow them to store *string or [TrustedType](https://w3c.github.io/webappsec-trusted-types/dist/spec/#typedefdef-trustedtype)*).

* Change the signatures of `Element.setAttribute*` and other affected DOM APIs to also accept a typed value.

* Change [Attr value getter](https://dom.spec.whatwg.org/#interface-attr) to stringify the output; also in https://dom.spec.whatwg.org/#concept-element-attributes-get-value (or perhaps introduce a *don't stringify* argument?)

* Changes to attribute-related algorithms, similar to ones outlined in TT-at-sinks section. Instead of callouts to TT checks, these would likely assert that a value is of an expected type.



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/789
Received on Friday, 11 October 2019 16:45:48 UTC