Re: [whatwg/dom] Trusted Types integration (#789) from Krzysztof Kotowicz on 2019-10-21 (public-webapps-github@w3.org from October 2019)

From: Krzysztof Kotowicz <notifications@github.com>
Date: Mon, 21 Oct 2019 07:27:13 -0700
To: whatwg/dom <dom@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/dom/issues/789/544540035@github.com>

I've found another approach to integrate the content attribute checks into the lower-level algorithms - namely into these attribute algorithms:

 * change (called by content attr setters, or attr.value setter), 
 * append (called by clone node, *setAttributeNode*, *attributes.setNamedItem*, *setAttribute*, *toggleAttribute*, content attr setters) 
 * remove
 * replace (called by *setAttributeNode*, *attributes.setNamedItem*)

Similar to [attribute change steps](https://dom.spec.whatwg.org/#concept-element-attributes-change-ext), define **attribute validate steps** in [Element](https://dom.spec.whatwg.org/#interface-element)
This and other specifications may define the attribute validate steps for elements. The algorithm would be passed *element*, *localName*, *value* and *namespace*, and would return a string (*validatedValue*) or throw an error.

In [*append*](https://dom.spec.whatwg.org/#concept-element-attributes-append) add optional parameter *valueToValidate*.
Ascertain that [change](https://dom.spec.whatwg.org/#concept-element-attributes-change)'s *value* argument does not need to be a string.
In [set an attribute value](https://dom.spec.whatwg.org/#concept-element-attributes-set-value) pass input value as *valueToValidate* in step 4. 

In *change*, *append* and *replace* (optionally, also in remove, but that's not needed for TT strictly), 
add the following steps at the beginning:
  1. If attribute change steps are not defined, let *validatedValue* be *value*, stringified. 
  1. Otherwise, let *validatedValue* be the result of runnning *attribute validate steps* with ... . If that algorithm threw an error, rethrow the error and abort further steps. 
  1. Set *attribute*'s  value to *validatedValue*.

The attribute validate steps would be defined in other specs (e.g. HTML or CSP), and would define the behavior for sensitive attributes+element pairs. The behavior would be a thin wrapper around [Get Trusted Types compliant string](https://w3c.github.io/webappsec-trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm).

The result would be that as long as we're dealing with *values*  (e.g. `Attr.value` setter, or `Element.setAttribute(name, value)`) the argument could be a Trusted Type, and that would be validated. When dealing with `Attr` *nodes* (e.g. `Element.setAttributeNode()` or  `NamedNodeMap.setNamedItem()`), TT could be enforced via a [default policy](https://w3c.github.io/webappsec-trusted-types/dist/spec/#default-policy).

This approach solves the bypass via attribute nodes, and also fixes https://github.com/w3c/webappsec-trusted-types/issues/229. 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/789#issuecomment-544540035

Received on Monday, 21 October 2019 14:27:15 UTC