Jun
When Layered API increases, there maybe a case where Layered API could be used as a script gadget. And I think browser should provide a way for site owner block...
This change adds [Trusted Types](https://web.dev/trusted-types/) support to Knockout. All the changes are behind `typeof trustedTypes !== 'undefined'`, so this change should only affect Chromium users (where Trusted Types is supported)....
[Trusted Types](https://web.dev/trusted-types/) helps prevent DOM-based XSS to appear on Web applications. Given that [jQuery](https://github.com/jquery/jquery/issues/4409) also support Trusted Types, adding support for Trusted Types to Knockout would be a good idea....
**Summary** [html2canvas](https://github.com/niklasvh/html2canvas) has [Trusted Types](https://web.dev/trusted-types/) violation due to use of `document.write` API which is considered a dangerous sink for XSS. This change fixes that and make html2canvas compatible with Trusted...
Currently, [eval](https://github.com/google/closure-compiler/blob/3aaf3475128e8f7e398a42b3400256aee4870bbe/externs/es3.js#L383) only support string type as an argument. However, Chrome added support for [Trusted Types](https://web.dev/trusted-types/) in Chrome 83, which makes TrustedScript type as a valid argument to eval.
After publishing the [XHR vector](https://github.com/shhnjk/cursed_types#xhr-document-response), there was [feedback](https://twitter.com/craigfrancis/status/1493584577457278976) asking to enforce Trusted Types on XHR document response. Is it possible to change [XMLHttpRequest](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest) (i.e. XHR) to the following? 1. Change...
We should enforce Trusted Types on `` tag's `href` attribute. Found by @masatokinugawa. https://twitter.com/kinugawamasato/status/1493576076726988802 ``` let attackerControlledString = 'data:image/svg+xml;base64,PHN2ZyBpZD0neCcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJyB4bWxuczp4bGluaz0naHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluayc+CjxpbWFnZSBocmVmPSJ4IiBvbmVycm9yPSJhbGVydChvcmlnaW4pIiAvPgo8L3N2Zz4=#x'; const svg=document.createElementNS('http://www.w3.org/2000/svg','svg'); const use=document.createElementNS('http://www.w3.org/2000/svg','use'); use.setAttributeNS('http://www.w3.org/1999/xlink','href',attackerControlledString); svg.appendChild(use); document.body.appendChild(svg); ```
Currently, there is no Trusted Types enforcement on `` in XSL document. Found by [Alex](https://twitter.com/insertScript) https://twitter.com/kinugawamasato/status/1493641462776360961 ``` let attackerControlledString = ""; const doc = document.implementation.createHTMLDocument(); const xslt = document.createElementNS("http://www.w3.org/1999/XSL/Transform","xsl:stylesheet"); xslt.setAttribute("xmlns:xsl","http://www.w3.org/1999/XSL/Transform"); ...
Currently, there is no Trusted Types enforcement on `document.createProcessingInstruction`. Found by @masatokinugawa. https://twitter.com/kinugawamasato/status/1493571837019648003 ``` let attackerControlledString = 'data:text/xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHhzbDpzdHlsZXNoZWV0IHhtbG5zOnhzbD0iaHR0cDovL3d3dy53My5vcmcvMTk5OS9YU0wvVHJhbnNmb3JtIiB2ZXJzaW9uPSIxLjAiPgogIDx4c2w6b3V0cHV0IG1ldGhvZD0iaHRtbCIgIC8+CiAgPHhzbDp0ZW1wbGF0ZSBtYXRjaD0iLyI+CjxzY3JpcHQ+YWxlcnQoZG9jdW1lbnQuZG9tYWluKTwvc2NyaXB0PgogIDwveHNsOnRlbXBsYXRlPgo8L3hzbDpzdHlsZXNoZWV0Pg=='; const pi=document.createProcessingInstruction("xml-stylesheet",`href='${attackerControlledString}' type='text/xml'`); document.insertBefore(pi, document.firstChild); ```
Current implementation of Chrome requires input argument in createHTML and etc required. However, there are cases where argument isn't required (e.g. just returning static HTML string to be used for...