[wp-trac] [WordPress Trac] #61569: Content-Security-Policy (CSP) add support for trusted types (centralized input validation of text inserted into DOM XSS sinks)
WordPress Trac
noreply at wordpress.org
Wed Jul 3 20:48:28 UTC 2024
#61569: Content-Security-Policy (CSP) add support for trusted types (centralized
input validation of text inserted into DOM XSS sinks)
-------------------------+-----------------------------
Reporter: jornfranke | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
Focuses: |
-------------------------+-----------------------------
The HTTP Security Header "Content-Security-Policy" (CSP) allows to make
browsing a website more secure for its users by providing directives to
the browser how to protect it (see https://developer.mozilla.org/en-
US/docs/Web/HTTP/Headers/Content-Security-Policy).
While there are already various features of CSPs supported by WordPress
(cf. e.g. https://jornfranke.codeberg.page/technology-tutorials/wordpress-
csp/) there can be support for an additional directive relevant for
Gutenberg: Trusted Types (https://w3c.github.io/trusted-types/dist/spec/)
(see also https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
/Content-Security-Policy/trusted-types). These allow essentially to define
in the WordPress/Guteberg javascript code a central function that
validates any text inserted by users/other scripts into the website (for
instance, one could insert malicious HTML or Script code into a block that
is then later displayed by another user).
Other frameworks, such as Angular, also support this (see
https://angular.io/guide/security#enforcing-trusted-types).
I can add to my CSP the trusted-type policy "wordpress", e.g.
Content-Security-Policy: trusted-types wordpress; require-trusted-types-
for 'script';
Then automatically a function (provided by WordPress) is triggered to
sanitize any input before it is added to the DOM. Here a simple untested
example using DOMPurify based on this webpage:
{{{
if (window.trustedTypes && trustedTypes.createPolicy) {
trustedTypes.createPolicy('wordpress', {
createHTML: (string, sink) => DOMPurify.sanitize(string,
{RETURN_TRUSTED_TYPE: true})
});
}
}}}
I recommend though to use the standard sanitization function already
available in WordPress.
See also this article on how to implement a trusted-type policy:
https://web.dev/articles/trusted-types#trusted-type-policy
The advantage of a central policy would be that I can also cover for
plugins with issues in securely sanitizing inputs.
See also the complementary issue for Gutenberg:
https://github.com/WordPress/gutenberg/issues/60736
--
Ticket URL: <https://core.trac.wordpress.org/ticket/61569>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list