feat(client): Add trusted types support#3360
Merged
Merged
Conversation
With this change, Karma tests can be run with an enforced Trusted Types policy. This change consists of using safer APIs (appendChild and textContent instead of innerHTML), as well as creating a policy for client/karma.js which a test's Trusted Types CSP policy can then explicitly allow. This policy is used internally where karma does potentially dangerous operations like loading scripts. More info about the proposed Trusted Types standard at https://github.com/WICG/trusted-types
johnjbarton
approved these changes
Sep 3, 2019
Contributor
|
I'll try to restart appveyor |
9 tasks
Contributor
Author
|
For what it's worth, I've run this across all affected tests inside of google3, and all passed |
rictic
added a commit
to rictic/mocha
that referenced
this pull request
Sep 15, 2020
Trusted Types is a new Content Security Policy specification, currently implemented in browsers based on Chromium 83 or higher, which requires that data passed to APIs which may result in arbitrary code execution must go through an explicit policy. This helps to catch unintended use of dangerous APIs, and reduces the surface area for some security reviews. I'm not sure if test infrastructure like mocha is a likely target for attack – seems like in most cases an attacker could only access test data, and it is rare for tests to handle untrusted data. However, there's value for infrastructure to be compatible with running with Trusted Types enabled, as it will allow users to write tests to ensure that the code under test can run with Trusted Types. This change creates and applies policies for the two places in mocha that call innerHTML, and adds a temporary patch to the rollup build. With those changes in place, we can run mocha's karma tests with Trusted Types enabled (save for the one test that runs with requirejs, which relies on eval). More info: * Spec: https://w3c.github.io/webappsec-trusted-types/dist/spec/#introduction * Related PR adding support to karma: karma-runner/karma#3360
|
I cannot find this in the documentation anywhere. How do I enable this feature? I've tried using customHeaders: [
{
match: '\\.html',
name: 'Content-Security-Policy',
value: `require-trusted-types-for 'script';`,
},
],and written the following test it('assigning a string to innerHTML violates the CSP', function() {
let cspViolated = false;
window.addEventListener('securitypolicyviolation', () => cspViolated = true);
document.body.innerHTML = 'foo';
expect(cspViolated).to.be.true;
expect(document.body.innerHTML).to.not.equal('foo');
});Unfortunately, the test fails. |
This was referenced Jan 8, 2021
This was referenced May 27, 2021
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
With this change, Karma tests can be run with an enforced Trusted Types policy.
This change consists of using safer APIs (appendChild and textContent instead of innerHTML), as well as creating a policy for client/karma.js which a test's Trusted Types CSP policy can then explicitly allow. This policy is used internally where karma does potentially dangerous operations like loading scripts.
More info about the proposed Trusted Types standard at https://github.com/WICG/trusted-types