- From: Krzysztof Kotowicz <notifications@github.com>
- Date: Mon, 21 Oct 2019 07:27:13 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/dom/issues/789/544540035@github.com>
I've found another approach to integrate the content attribute checks into the lower-level algorithms - namely into these attribute algorithms: * change (called by content attr setters, or attr.value setter), * append (called by clone node, *setAttributeNode*, *attributes.setNamedItem*, *setAttribute*, *toggleAttribute*, content attr setters) * remove * replace (called by *setAttributeNode*, *attributes.setNamedItem*) Similar to [attribute change steps](https://dom.spec.whatwg.org/#concept-element-attributes-change-ext), define **attribute validate steps** in [Element](https://dom.spec.whatwg.org/#interface-element) This and other specifications may define the attribute validate steps for elements. The algorithm would be passed *element*, *localName*, *value* and *namespace*, and would return a string (*validatedValue*) or throw an error. In [*append*](https://dom.spec.whatwg.org/#concept-element-attributes-append) add optional parameter *valueToValidate*. Ascertain that [change](https://dom.spec.whatwg.org/#concept-element-attributes-change)'s *value* argument does not need to be a string. In [set an attribute value](https://dom.spec.whatwg.org/#concept-element-attributes-set-value) pass input value as *valueToValidate* in step 4. In *change*, *append* and *replace* (optionally, also in remove, but that's not needed for TT strictly), add the following steps at the beginning: 1. If attribute change steps are not defined, let *validatedValue* be *value*, stringified. 1. Otherwise, let *validatedValue* be the result of runnning *attribute validate steps* with ... . If that algorithm threw an error, rethrow the error and abort further steps. 1. Set *attribute*'s value to *validatedValue*. The attribute validate steps would be defined in other specs (e.g. HTML or CSP), and would define the behavior for sensitive attributes+element pairs. The behavior would be a thin wrapper around [Get Trusted Types compliant string](https://w3c.github.io/webappsec-trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm). The result would be that as long as we're dealing with *values* (e.g. `Attr.value` setter, or `Element.setAttribute(name, value)`) the argument could be a Trusted Type, and that would be validated. When dealing with `Attr` *nodes* (e.g. `Element.setAttributeNode()` or `NamedNodeMap.setNamedItem()`), TT could be enforced via a [default policy](https://w3c.github.io/webappsec-trusted-types/dist/spec/#default-policy). This approach solves the bypass via attribute nodes, and also fixes https://github.com/w3c/webappsec-trusted-types/issues/229. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/789#issuecomment-544540035
Received on Monday, 21 October 2019 14:27:15 UTC