this post was submitted on 22 Dec 2023
141 points (97.3% liked)

Technology

74319 readers
2839 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
141
Mozilla decides Trusted Types is a worthy security feature (www.theregister.com)
submitted 2 years ago by AnActOfCreation@programming.dev to c/technology@lemmy.world
3 comments fedilink hide all child comments
 

• Mozilla plans to implement Trusted Types in Firefox to reduce web attacks relying on injected code.

• Trusted Types has been successful in preventing DOM-based XSS on popular websites.

• As more websites adopt Trusted Types, XSS attacks are expected to become less common.

top 3 comments
sorted by: hot top controversial new old
[–] DacoTaco@lemmy.world 29 points 2 years ago* (last edited 2 years ago)

I had no idea trusted types existed, and took a while to realise the w3 docs was confusing as hell.
But mozilla to the rescue : https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API

So it boils down to a javascript api to santize a string before using it in a plathora of javascript functions that interact with the DOM. Neat, but if the developer has to make the policy themselves i dont see the added bonus to this. XSS seems to be still possible if the policy is made incorrectly?

Edit : or am i reading the example wrong and the developer defined code is on top of whatever the api does with the string? I also dont understand why the browsers implementation of innerHtml couldnt just automatically apply whatever that policy does...

[–] IHeartBadCode@kbin.social 18 points 2 years ago (1 children)

For those looking for Mozilla's back and forth on this since 2017.

[–] Aatube@kbin.social 1 points 2 years ago

Not much of a surprise given how they removed GTK theming from thunderbird and maybe Firefox