Trusted Types

[bartoszniemczura]

WebKittens

@annevk @hober @marcoscaceres

Title of the spec

Trusted Types

URL to the spec

https://www.w3.org/TR/trusted-types/

URL to the spec's repository

https://github.com/w3c/trusted-types/tree/main/spec

TAG Design Review URL

w3ctag/design-reviews#198

Mozilla standards-positions issue URL

mozilla/standards-positions#20

WebKit Bugzilla URL

No response

Radar URL

No response

Description

Trusted Types is an optional browser mechanism for web sites to help protect themselves against cross-site scripting (XSS) attacks. It limits the attack surface from potentially the entire code base to a handful of "policies" that a developer can implement and install, and the browser will then enforce. Trusted Types can help to ensure that risky parts of the DOM can only be used by data that has gone through such a developer-supplied policy.

Sharing some data points that might be useful to consider while evaluating the position:

• XSS is still prevalent in Web Applications:

  • #1 vulnerability in HackerOne 2021 industry report
  • #1 vulnerability in Bugcrowd 2021 Report
  • #2 vulnerability in 2022 CWE Top 25 list
  • #3 vulnerability in Injection category in 2021 OWASP report (note that the category contains other vulnerability types),
  • #3 vulnerability in CVE charts in 2022

• Adoption across the Internet:

  • Meta, Microsoft and Google indicated in W3C WebAppSec forum that they have successfully deployed Trusted Types in number of their applications and that they recommend its usage across Web Applications,
  • https://mitigation.supply/ - Trusted Types enforcement in 14% of Chromes's page loads (from 10% in March 2022). Strict CSP enforcement at 25%.
  • HTTPArchive crawls (credentialless scans) show enforcing CSP with Trusted Types served on >200 non-Google-related domains in March 2023. >160 domains serve report-only CSP. Some of those are served on login pages (e.g. auth.heroku.com, app.knudge.com, login.erply.com), suggesting integration in underlying web applications.

• Existing Browser Support

  • Browser Support Tracker: https://caniuse.com/trusted-types
  • Chrome: supported since version 83 released in May 2020
  • Edge: supported since version 83 released in May 2020
  • Opera: supported since version 69 released in June 2020
  • Firefox: not supported; position: not harmful (previous discussion)

Supporting Trusted Types in Safari would match the level of protection in other browsers and would add additional defense against XSS.

[shhnjk]

FYI, @bartoszniemczura is from Meta 😊

[annevk]

The title of the label clarifies that from: is not about who is asking the WebKit community, but rather who the proposal is from. So this is accurate.

[bkardell]

I guess this was the position in 2020 at least ... Did @othermaciej's concerns/comments get worked out?

[gregwhitworth]

I posted this on Interop 2024 as well but posting across the position issues as well just in case it gets lost:

Salesforce strongly supports the Trusted Types proposal, considering the imminent regulatory changes in the Netherlands and the broader EU, as outlined in the eIDAS Regulation.

The U/PW.03 Standard of DigiD assessment demands the removal of 'unsafe-eval' from CSP, a challenge that will be mirrored across Europe. This presents critical compliance and potential reputation risks for our customers, especially in the public sector and healthcare.

Trusted Types have shown efficacy in XSS risk reduction, demonstrated by Google's successful adoption. This underlines the standard's relevance and potential impact.

[annevk]

I did not immediately understand the relation, but w3c/trusted-types#143 clarifies it a bit. Given TrustedScript.fromLiteral() from https://w3c.github.io/trusted-types/dist/spec/#trusted-script it appears as if Trusted Types would allow you to bypass the spirit of that assessment. As in, instead of eval('something()') you'd write eval(TrustedScript.fromLiteral(`something()`)) and it would not be considered "unsafe". I hope I'm misunderstanding something. Could you clarify perhaps?

Especially the existence of https://w3c.github.io/trusted-types/dist/spec/#default-policy-hdr suggests that when regulation is not aware of Trusted Types existing, Trusted Types, such regulation, and budget/deadlines might encourage application developers to do rather dangerous things.