SlideShare a Scribd company logo

Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)

Krzysztof Kotowicz, profile picture
Krzysztof Kotowicz

The document discusses the vulnerabilities associated with DOM-based Cross-Site Scripting (DOM XSS) and advocates for the implementation of 'Trusted Types' as a security measure. Trusted Types help prevent unsafe assignments to the DOM by enforcing the use of securely created object types instead of strings. The proposed method has been tested at Google and is being implemented in various frameworks and browsers to enhance security against these vulnerabilities.

Technology
1 of 22
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Trusted Types Securing the DOM from the bottom up Krzysztof Kotowicz, Google @kkotowicz github.com/koto koto@google.com
DOM XSS
Google Vulnerability Reward Program payouts in 2018 XSS 35.6% Non-web issues 49.1% Mobile app vulnerabilities Business logic (authorization) Server /network misconfigurations ...
Source: HackerOne report, 2018 Consumer Goods Financial services & insurance Government Healthcare Media & Entertainment Professional services Retail & Ecommerce Technology Telecom Transportation Travel & Hospitality Figure 5: Listed are the top 15 vulnerability types platform wide, and the percentage of vulnerabilities received per industry Cross Site scripting (XSS) Information disclosure Improper authentication Violation of secure design principles Cross-site request forgery (CSRF) Open redirect Privilege Escalation Improper access control Cryptographic issues Denial of service Business logic errors Code injection SQL injection Vulnerabilities by industry
Paid bounties by vulnerability on Mozilla websites in 2016 and 2017 Source: @jvehent, Mozilla CountofVulnerability w sec-xss w sec-applogic w sec-disclosure w sec-im personation w sec-objref w sec-injection w sec-appm isconfig w sec-authentication w sec-redirect w sec-oscm d w sec-http-header-inject w sec-serverm isconfig w sec-sqli w sec-authorization w sec-crossdom ain w sec-csrf
DOM XSS is a client-side XSS variant caused by the DOM API not being secure by default. ● User controlled strings get converted into code ● via dangerous and error-prone DOM sinks like: innerHTML, window.open(), ~60 other DOM sinks var foo = location.hash.slice(1); document.querySelector('#foo').innerHTML = foo; How does DOM XSS happen? Example: https://example.com/#<img src=x onerror=alert('xss')>
HTMLFormElement.action Element.innerHTML window.open HTMLAreaElement.href HTMLMediaElement.src HTMLFrameElement.src HTMLSourceElement.src HTMLTrackElement.src HTMLInputElement.src location.assign location.hrefdocument.write HTMLButtonElement.formAction HTMLFrameElement.srcdoc HTMLImageElement.src HTMLEmbededElement.src HTMLScriptElement.textContent HTMLInputElement.formAction HTMLScriptElement.InnerText HTMLBaseElement.href
Growing problem ● DOM sinks can be used by your own code ○ … or the libraries you use ○ … or the scripts you load (analytics?) ○ … or the script that they load at runtime. ● Each of those potentially introduces DOM XSS ● Static analysis for JS does not work reliably ● At Google, DOM XSS is already the most common XSS variant.
We know how to address it! Safe Types (link) ● 6+ years of experience ● Protects Gmail and almost all other Google applications ● Evidence of efficacy ● Securely produce values that end up in DOM ● Implemented as Java{Script},Go, … libraries ● We're porting this approach directly to the browsers
Trusted Types
Strongly typed DOM API. ● Don't pass (HTML, URL, script URL) strings to the DOM sinks ● Use objects instead ● DOM already supports it: ● Web platform (or polyfill) provides typed objects: TrustedHTML, TrustedScript, TrustedURL, TrustedScriptURL ● Security rules & controls are based on types The idea behind Trusted Types el.innerHTML = {toString: () => 'hello'}; el.innerHTML // 'hello'
When Trusted Types are not enforced: DOM sinks accepts strings as usual DOM sinks accept typed objects element.innerHTML = aTrustedHTML; The idea behind Trusted Types
When Trusted Types are enforced: DOM sinks reject strings DOM sinks accept typed objects Content-Security-Policy: trusted-types myPolicy element.innerHTML = location.hash.slice(1); // a string element.innerHTML = aTrustedHTML; // created via a TrustedTypes policy The idea behind Trusted Types
When Trusted Types are in reporting mode: DOM sinks accept & report strings DOM sinks accept typed objects Content-Security-Policy-Report-Only: trusted-types myPolicy; report-uri /report element.innerHTML = location.hash.slice(1); // a string element.innerHTML = aTrustedHTML; // created via a TrustedTypes policy The idea behind Trusted Types
1. Create policies with validation rules 2. Use the policies to create Trusted Type objects 3. Enforce "myPolicy" by setting a Content Security Policy header Creating Trusted Types Content-Security-Policy: trusted-types myPolicy myOtherPolicy const SanitizingPolicy = TrustedTypes.createPolicy('myPolicy', { createHTML(s: string) => myCustomSanitizer(s) }, false); // Calls myCustomSanitizer(foo). const trustedHTML = SanitizingPolicy.createHTML(foo); element.innerHTML = trustedHTML;
Control policy creation: ● Policy name whitelist: ● No duplicate policy names Control policy usage: ● Policies are JavaScript objects ● Lock them in a module, inside a local function variable etc. Control over policies Content-Security-Policy: trusted-types myPolicy myOtherPolicy
The "default" policy is called as a fallback when a string is assigned to a sink. Good way to get started and to identify risky DOM assignments. Trusted Types - default policy Content-Security-Policy: trusted-types myPolicy default TrustedTypes.createPolicy('default', { createHTML(s) { console.log("Please fix! Insecure string assignment:", s); return s; } }, true);
Demo bit.ly/trusted-types-demo2
→ Benefits Source ... Policy Trusted Type→ → → ... DOM sink→ ● Reduced attack surface - The risky data flow will always be: ● Isolates security-sensitive code from the rest of the applications ● No DOM XSS if policies are secure and access restricted ● Compile time & runtime security validation
Trusted Types in practice ● Policies in a few trusted components ○ Frameworks ○ Templating engines ○ HTML sanitizers (DOMPurify) ● It's easy to add support to modern frameworks (sample patch for Angular) ● Code size overhead negligible ○ 66 bytes of the smallest polyfill ○ ~300 bytes in Google Closure Porting modern applications is easy (we're already doing this for our apps!)
● Active development, looking for your feedback! ● Support in Chromium browsers (origin trial - tinyurl.com/try-trusted-types) ● Discussion group - trusted-types@googlegroups.com ● W3C specification draft - wicg.github.io/trusted-types/ ● Polyfills & documentation at bit.ly/trusted-types Working on external integrations: ● DOMPurify ● Modern JS frameworks ● TypeScript type definitions - definitelytyped.org ● Secure policies library & other tooling (coming soon!) Project status
Try Trusted Types now! bit.ly/trusted-types

More Related Content

PDF
Trusted Types and the end of DOM XSS
Krzysztof Kotowicz
 
PDF
Trusted Types @ W3C TPAC 2018
Krzysztof Kotowicz
 
PDF
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
PDF
Scriptless Attacks - Stealing the Pie without touching the Sill
Mario Heiderich
 
PDF
Securing your Node.js App
Dheeraj Joshi
 
PDF
Generic Attack Detection - ph-Neutral 0x7d8
Mario Heiderich
 
PDF
Rethinking The Policy Agent
ForgeRock Identity Tech Talks
 
PDF
Locking the Throneroom 2.0
Mario Heiderich
 
Trusted Types and the end of DOM XSS
Krzysztof Kotowicz
 
Trusted Types @ W3C TPAC 2018
Krzysztof Kotowicz
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Mario Heiderich
 
Securing your Node.js App
Dheeraj Joshi
 
Generic Attack Detection - ph-Neutral 0x7d8
Mario Heiderich
 
Rethinking The Policy Agent
ForgeRock Identity Tech Talks
 
Locking the Throneroom 2.0
Mario Heiderich
 

What's hot (20)

PDF
The innerHTML Apocalypse
Mario Heiderich
 
PDF
In the DOM, no one will hear you scream
Mario Heiderich
 
PDF
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
Mario Heiderich
 
PDF
The Image that called me - Active Content Injection with SVG Files
Mario Heiderich
 
PDF
The Ultimate IDS Smackdown
Mario Heiderich
 
PPTX
SMIMP Lightning Talk - DEFCON CryptoVillage
Adam Caudill
 
PDF
The Future of Web Attacks - CONFidence 2010
Mario Heiderich
 
PDF
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
PDF
A XSSmas carol
cgvwzq
 
PDF
Security in PHP Applications: An absolute must!
Mark Niebergall
 
PPTX
XML Encryption
Prabath Siriwardena
 
PDF
Cryptography In The Browser Using JavaScript
barysteyn
 
PPTX
XML Security
hamsa nandhini
 
PPT
Lock Interface in Java
Home
 
PDF
Security Vulnerabilities: How to Defend Against Them
Martin Vigo
 
PDF
Dot Net Training in Chennai
jeevanfita
 
PPT
Cookie mechanism and attacks on web-client
Positive Hack Days
 
PDF
Developer's Guide to JavaScript and Web Cryptography
Kevin Hakanson
 
PDF
Java script and web cryptography (cf.objective)
ColdFusionConference
 
PPTX
Less is More by Matt Christensen
jdaychi
 
The innerHTML Apocalypse
Mario Heiderich
 
In the DOM, no one will hear you scream
Mario Heiderich
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
Mario Heiderich
 
The Image that called me - Active Content Injection with SVG Files
Mario Heiderich
 
The Ultimate IDS Smackdown
Mario Heiderich
 
SMIMP Lightning Talk - DEFCON CryptoVillage
Adam Caudill
 
The Future of Web Attacks - CONFidence 2010
Mario Heiderich
 
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
A XSSmas carol
cgvwzq
 
Security in PHP Applications: An absolute must!
Mark Niebergall
 
XML Encryption
Prabath Siriwardena
 
Cryptography In The Browser Using JavaScript
barysteyn
 
XML Security
hamsa nandhini
 
Lock Interface in Java
Home
 
Security Vulnerabilities: How to Defend Against Them
Martin Vigo
 
Dot Net Training in Chennai
jeevanfita
 
Cookie mechanism and attacks on web-client
Positive Hack Days
 
Developer's Guide to JavaScript and Web Cryptography
Kevin Hakanson
 
Java script and web cryptography (cf.objective)
ColdFusionConference
 
Less is More by Matt Christensen
jdaychi
 
Ad

Similar to Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam) (20)

PDF
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
 
PDF
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法
inet-lab
 
PPTX
Web security: Securing Untrusted Web Content in Browsers
Phú Phùng
 
PPTX
Web security: Securing untrusted web content at browsers
Phú Phùng
 
PPTX
Webinar–Reviewing Modern JavaScript Applications
Synopsys Software Integrity Group
 
PPTX
Cos 432 web_security
Michael Freyberger
 
PPTX
W3 conf hill-html5-security-realities
Brad Hill
 
PDF
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
PPTX
Confidence web
Dan Kaminsky
 
PDF
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
PDF
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BSides Delhi
 
PPT
Reversing JavaScript
Roberto Suggi Liverani
 
PDF
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Philippe De Ryck
 
PPTX
Pentesting Modern Web Apps: A Primer
Brian Hysell
 
PPTX
Dmk sb2010 web_defense
Dan Kaminsky
 
PDF
Secure java script-for-developers
n|u - The Open Security Community
 
PDF
Waf.js: How to Protect Web Applications using JavaScript
Denis Kolegov
 
PDF
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Research
 
PPTX
How to React to JavaScript Insecurity
Ksenia Peguero
 
PPT
(In)Security Implication in the JS Universe
Stefano Di Paola
 
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
 
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法
inet-lab
 
Web security: Securing Untrusted Web Content in Browsers
Phú Phùng
 
Web security: Securing untrusted web content at browsers
Phú Phùng
 
Webinar–Reviewing Modern JavaScript Applications
Synopsys Software Integrity Group
 
Cos 432 web_security
Michael Freyberger
 
W3 conf hill-html5-security-realities
Brad Hill
 
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
Confidence web
Dan Kaminsky
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BSides Delhi
 
Reversing JavaScript
Roberto Suggi Liverani
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Philippe De Ryck
 
Pentesting Modern Web Apps: A Primer
Brian Hysell
 
Dmk sb2010 web_defense
Dan Kaminsky
 
Secure java script-for-developers
n|u - The Open Security Community
 
Waf.js: How to Protect Web Applications using JavaScript
Denis Kolegov
 
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Research
 
How to React to JavaScript Insecurity
Ksenia Peguero
 
(In)Security Implication in the JS Universe
Stefano Di Paola
 
Ad

More from Krzysztof Kotowicz (15)

PDF
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Krzysztof Kotowicz
 
PDF
Hacking HTML5 offensive course (Zeronights edition)
Krzysztof Kotowicz
 
PDF
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
Krzysztof Kotowicz
 
PDF
HTML5: Atak i obrona
Krzysztof Kotowicz
 
PDF
I'm in your browser, pwning your stuff
Krzysztof Kotowicz
 
PDF
Advanced Chrome extension exploitation
Krzysztof Kotowicz
 
PDF
Html5: Something wicked this way comes (Hack in Paris)
Krzysztof Kotowicz
 
PDF
Something wicked this way comes - CONFidence
Krzysztof Kotowicz
 
PDF
Html5: something wicked this way comes - HackPra
Krzysztof Kotowicz
 
PDF
Html5: something wicked this way comes
Krzysztof Kotowicz
 
PDF
Creating, obfuscating and analyzing malware JavaScript
Krzysztof Kotowicz
 
PDF
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Krzysztof Kotowicz
 
PDF
Jak ocalić swoje dane przed SQL injection?
Krzysztof Kotowicz
 
PDF
SQL Injection: complete walkthrough (not only) for PHP developers
Krzysztof Kotowicz
 
PPT
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Krzysztof Kotowicz
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Krzysztof Kotowicz
 
Hacking HTML5 offensive course (Zeronights edition)
Krzysztof Kotowicz
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
Krzysztof Kotowicz
 
HTML5: Atak i obrona
Krzysztof Kotowicz
 
I'm in your browser, pwning your stuff
Krzysztof Kotowicz
 
Advanced Chrome extension exploitation
Krzysztof Kotowicz
 
Html5: Something wicked this way comes (Hack in Paris)
Krzysztof Kotowicz
 
Something wicked this way comes - CONFidence
Krzysztof Kotowicz
 
Html5: something wicked this way comes - HackPra
Krzysztof Kotowicz
 
Html5: something wicked this way comes
Krzysztof Kotowicz
 
Creating, obfuscating and analyzing malware JavaScript
Krzysztof Kotowicz
 
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Krzysztof Kotowicz
 
Jak ocalić swoje dane przed SQL injection?
Krzysztof Kotowicz
 
SQL Injection: complete walkthrough (not only) for PHP developers
Krzysztof Kotowicz
 
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Krzysztof Kotowicz
 

Recently uploaded (20)

PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Cloud computing and distributed systems.
kkkkkhan
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Encapsulation theory and applications.pdf
gurumoop
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 

Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)

  • 1. Trusted Types Securing the DOM from the bottom up Krzysztof Kotowicz, Google @kkotowicz github.com/koto koto@google.com
  • 3. Google Vulnerability Reward Program payouts in 2018 XSS 35.6% Non-web issues 49.1% Mobile app vulnerabilities Business logic (authorization) Server /network misconfigurations ...
  • 4. Source: HackerOne report, 2018 Consumer Goods Financial services & insurance Government Healthcare Media & Entertainment Professional services Retail & Ecommerce Technology Telecom Transportation Travel & Hospitality Figure 5: Listed are the top 15 vulnerability types platform wide, and the percentage of vulnerabilities received per industry Cross Site scripting (XSS) Information disclosure Improper authentication Violation of secure design principles Cross-site request forgery (CSRF) Open redirect Privilege Escalation Improper access control Cryptographic issues Denial of service Business logic errors Code injection SQL injection Vulnerabilities by industry
  • 5. Paid bounties by vulnerability on Mozilla websites in 2016 and 2017 Source: @jvehent, Mozilla CountofVulnerability w sec-xss w sec-applogic w sec-disclosure w sec-im personation w sec-objref w sec-injection w sec-appm isconfig w sec-authentication w sec-redirect w sec-oscm d w sec-http-header-inject w sec-serverm isconfig w sec-sqli w sec-authorization w sec-crossdom ain w sec-csrf
  • 6. DOM XSS is a client-side XSS variant caused by the DOM API not being secure by default. ● User controlled strings get converted into code ● via dangerous and error-prone DOM sinks like: innerHTML, window.open(), ~60 other DOM sinks var foo = location.hash.slice(1); document.querySelector('#foo').innerHTML = foo; How does DOM XSS happen? Example: https://example.com/#<img src=x onerror=alert('xss')>
  • 8. Growing problem ● DOM sinks can be used by your own code ○ … or the libraries you use ○ … or the scripts you load (analytics?) ○ … or the script that they load at runtime. ● Each of those potentially introduces DOM XSS ● Static analysis for JS does not work reliably ● At Google, DOM XSS is already the most common XSS variant.
  • 9. We know how to address it! Safe Types (link) ● 6+ years of experience ● Protects Gmail and almost all other Google applications ● Evidence of efficacy ● Securely produce values that end up in DOM ● Implemented as Java{Script},Go, … libraries ● We're porting this approach directly to the browsers
  • 11. Strongly typed DOM API. ● Don't pass (HTML, URL, script URL) strings to the DOM sinks ● Use objects instead ● DOM already supports it: ● Web platform (or polyfill) provides typed objects: TrustedHTML, TrustedScript, TrustedURL, TrustedScriptURL ● Security rules & controls are based on types The idea behind Trusted Types el.innerHTML = {toString: () => 'hello'}; el.innerHTML // 'hello'
  • 12. When Trusted Types are not enforced: DOM sinks accepts strings as usual DOM sinks accept typed objects element.innerHTML = aTrustedHTML; The idea behind Trusted Types
  • 13. When Trusted Types are enforced: DOM sinks reject strings DOM sinks accept typed objects Content-Security-Policy: trusted-types myPolicy element.innerHTML = location.hash.slice(1); // a string element.innerHTML = aTrustedHTML; // created via a TrustedTypes policy The idea behind Trusted Types
  • 14. When Trusted Types are in reporting mode: DOM sinks accept & report strings DOM sinks accept typed objects Content-Security-Policy-Report-Only: trusted-types myPolicy; report-uri /report element.innerHTML = location.hash.slice(1); // a string element.innerHTML = aTrustedHTML; // created via a TrustedTypes policy The idea behind Trusted Types
  • 15. 1. Create policies with validation rules 2. Use the policies to create Trusted Type objects 3. Enforce "myPolicy" by setting a Content Security Policy header Creating Trusted Types Content-Security-Policy: trusted-types myPolicy myOtherPolicy const SanitizingPolicy = TrustedTypes.createPolicy('myPolicy', { createHTML(s: string) => myCustomSanitizer(s) }, false); // Calls myCustomSanitizer(foo). const trustedHTML = SanitizingPolicy.createHTML(foo); element.innerHTML = trustedHTML;
  • 16. Control policy creation: ● Policy name whitelist: ● No duplicate policy names Control policy usage: ● Policies are JavaScript objects ● Lock them in a module, inside a local function variable etc. Control over policies Content-Security-Policy: trusted-types myPolicy myOtherPolicy
  • 17. The "default" policy is called as a fallback when a string is assigned to a sink. Good way to get started and to identify risky DOM assignments. Trusted Types - default policy Content-Security-Policy: trusted-types myPolicy default TrustedTypes.createPolicy('default', { createHTML(s) { console.log("Please fix! Insecure string assignment:", s); return s; } }, true);
  • 19. → Benefits Source ... Policy Trusted Type→ → → ... DOM sink→ ● Reduced attack surface - The risky data flow will always be: ● Isolates security-sensitive code from the rest of the applications ● No DOM XSS if policies are secure and access restricted ● Compile time & runtime security validation
  • 20. Trusted Types in practice ● Policies in a few trusted components ○ Frameworks ○ Templating engines ○ HTML sanitizers (DOMPurify) ● It's easy to add support to modern frameworks (sample patch for Angular) ● Code size overhead negligible ○ 66 bytes of the smallest polyfill ○ ~300 bytes in Google Closure Porting modern applications is easy (we're already doing this for our apps!)
  • 21. ● Active development, looking for your feedback! ● Support in Chromium browsers (origin trial - tinyurl.com/try-trusted-types) ● Discussion group - trusted-types@googlegroups.com ● W3C specification draft - wicg.github.io/trusted-types/ ● Polyfills & documentation at bit.ly/trusted-types Working on external integrations: ● DOMPurify ● Modern JS frameworks ● TypeScript type definitions - definitelytyped.org ● Secure policies library & other tooling (coming soon!) Project status
  • 22. Try Trusted Types now! bit.ly/trusted-types