Intent to Extend Origin Trial: Trusted Types

[Daniel Vogelheim]

tl;dr: Early feedback led to changes which we'd like to try out as well. Also, bugs prevented some parties from participating in the current origin trial.

Contact emails
voge...@chromium.org, mk...@chromium.org.

Spec

- Proper spec: https://wicg.github.io/trusted-types/dist/spec/

- Explainer & more info: https://github.com/WICG/trusted-types

Summary
Extend the ongoing Origin Trial for 'trusted types'.

Summary, Origin Trial

The current trial (& associated publicity) netted us a number of "bypass" bug reports, plus feedback on the difficulty of deploying the API (communicated mostly privately), mostly focussing around the difficulties of adapting existing applications/frameworks, whose DOM API usage does not always cleanly map to 'Trusted Types'. As a result, we've added debugging features (like support for CSP-based error reporting; report-only policies for easy experimentation), deployability features (like support for Trusted Types in JavaScript's eval), and we are currently contemplating a slight change in scope (i.e., which DOM APIs should be covered by Trusted Types at all). We'd like to trial those changes as well.

Also, due to some unfortunate bugs on our part, the trial was (in practice) unusable during part of the trial period, and one large-ish developer has indicated interest in trying our Trusted Types, but won't make it within the current period.

Summary, The Feature
'Trusted types' offer an (optional) mechanism for web sites to protect themselves against XSS (cross-site scripting) attacks. Those type of attacks stem from implementation oversights, that allow user-controlled (and therefore attacker-controlled) data to slip through into parts of the DOM where they are interpreted as JavaScript (or script-equivalent). Or, in other words, the developers forgot to sanitize user inputs in some part of their app. "Trusted types" solves this by limiting the attack surface from potentially the entire code base to a handful of "policies" that a developer can implement and install. "Trusted types" then ensure that all risk-ful parts of the DOM can only be used by data that has gone through such a developer-supplied policy.


Link to “Intent to Implement” blink-dev discussion

implement, experiment

Goals for (extended) experimentation

- Get feedback for changes made during the current experiment.

- Get feedback from a greater variety of implementors.

Also, just give people more time. Making use of these APIs seems to require a good bit of time. E.g. Google-internal feedback has been that deploying Trusted Types occasionally requires refactoring existing code to map more easily onto Trusted Types. These things take a while.

(Extended) Experimental timeline
M77-M78

Any risks when the experiment finishes?

Minor.

(Being a security feature, the primary function of "trusted types" is to block certain functionality that's usually enabled. When "trusted types" are disabled again, everything that works with it should also work without. Conceivable issues would be if e.g. TT APIs are called unconditionally, even with the experiment disabled, since those calls would then throw exceptions.)

Reason this experiment is being extended
(See 'goals' and 'summary' sections.)

Ongoing technical constraints
None.

Debuggability

By now, Trusted Types debuggability is super excellent. When "Trusted Types" blocks DOM access, it logs a console message; throws an exception, and (if enabled) sends reports using the CSP reporting infrastructure.

Even better, if one enables "Trusted Types" in a CSP report-only configuration, one can basically just run it in any unmodified page and then watch the "[Report Only]" messages scroll by in order to determine which parts of your webapp need to be adapted.

Will this feature be supported on all five Blink platforms supported by Origin Trials (Windows, Mac, Linux, Chrome OS, and Android)?
Yes.

Link to entry on the feature dashboard

link

[Yoav Weiss]

LGTM

On Fri, Jul 12, 2019 at 2:17 PM 'Daniel Vogelheim' via blink-dev <blin...@chromium.org> wrote:

tl;dr: Early feedback led to changes which we'd like to try out as well. Also, bugs prevented some parties from participating in the current origin trial.

Contact emails
voge...@chromium.org, mk...@chromium.org.

Spec

- Proper spec: https://wicg.github.io/trusted-types/dist/spec/

- Explainer & more info: https://github.com/WICG/trusted-types

Would be good to file for a TAG review sooner rather than later...

 

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNPTFjM4X4kRqrkg6B2rLv%2B-rSAu2pNV8ZHzcdZDqWs-g%40mail.gmail.com.

[Mike West]

On Fri, Jul 12, 2019 at 2:35 PM Yoav Weiss <yo...@yoav.ws> wrote:

LGTM

On Fri, Jul 12, 2019 at 2:17 PM 'Daniel Vogelheim' via blink-dev <blin...@chromium.org> wrote:

tl;dr: Early feedback led to changes which we'd like to try out as well. Also, bugs prevented some parties from participating in the current origin trial.

Contact emails
voge...@chromium.org, mk...@chromium.org.

Spec

- Proper spec: https://wicg.github.io/trusted-types/dist/spec/

- Explainer & more info: https://github.com/WICG/trusted-types

Would be good to file for a TAG review sooner rather than later...

https://github.com/w3ctag/design-reviews/issues/198 was filed in Sept, 2017.

The TAG's been punting it from telcon to telcon since February. I'll ping it again. :)

-mike