Why is there no type for style / CSS?

[annevk]

CSP does consider it problematic and there have been some purely CSS-based exploits.

[koto]

Do you mean the type for:

• the stylesheet URL (e.g. <link rel=stylesheet href>,
• stylesheet text (e.g. inline <style> content),
• the individual CSS properties?

The reason for TT being CSS-agnostic is that we started with something that's limited in scope to prevent DOM XSS, and stylesheets cannot cause that (assuming expression: is not a thing in modern browsers). Indeed the repeated feedback is to add CSS-related types. To start the discussion, which of the above would be useful to authors?

+@sebmarkbage +@xtofian

[sebmarkbage]

All three would be useful.

The <link> and <style> cases are typically solved by tools today because it is fairly commonly understood that you don't want injection to add additional properties. It would be nice to enforce this.

The individual CSS properties case is trickier because it is not well known outside very specialized circles. There is a lot more ad-hoc code that will deal with raw strings today. This likely means that it is a more difficult upgrade path but also that this is an active vulnerable surface today which would benefit from Trusted Types.

There is some significant overlap with CSS Typed OM ImageValue here is as well. That solves most issues on its own but tying it to a scoped policy might have additional value.

[annevk]

You also need style="" I suspect.

[koto]

<link> is problematic as its href attribute means different things, depending on the value of rel - #6. For now, we just require TrustedURL there.

I'll look into how involved would the style types implementation be.

[koto]

We decided to focus the Trusted Types v1 on DOM XSS only, so protecting against style injections are not in scope for now. We can amend the API in the future revisions.

[koto]

It's possible to add support to custom types and custom sinks to the API like so: https://gist.github.com/koto/1d044f6029ee337beffb4487b80f8b02