Collect HTML injection sinks and DOM XSS injection sinks under XSS injection sinks #404
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…jection sinks Allowed clarifying that all XSS injection sinks are covered by the "trusted-types-sink-group" named 'script'. Closes w3c#383
koto
requested changes
Jan 16, 2024
| @@ -67,10 +67,10 @@ if `aString` contains untrusted data, `foo[bar] = aString` is a statement | |||
| that potentially can trigger a vulnerability, depending on a value | |||
| of `foo` and `bar`. | |||
|
|
|||
| This document focuses on preventing DOM-Based Cross-Site Scripting | |||
There was a problem hiding this comment.
Please keep the DOM-Based XSS or DOM XSS in the spec text (and the link fragments). Trusted Types only covers DOM XSS (Type 0 XSS). The name is a bid misleading, but DOM XSS covers all sinks available to client side code (i.e. DOM API sinks, but also eval, Location etc). This is as opposed to server-side XSSes (Type 1 and 2).
This applies to all mentions below.
There was a problem hiding this comment.
Agree. Thanks for the explanation.
| @@ -205,14 +205,17 @@ it's not easy to distinguish one from the other. | |||
| This document organizes the injection sinks into groups, based on the | |||
| capabilities that sinks in a given group have. [=Enforcement=] for groups is controlled via <a>trusted-types-sink-group</a> values. | |||
|
|
|||
| ### HTML injection sinks ### {#html-injection-sinks} | |||
There was a problem hiding this comment.
Perhaps it might be easier to just merge those two existing sections, and separate them once there is another use case specified?
mbrodesser-Igalia
deleted the
383_collect_html_injection_sinks_and_dom_xss_injection_sinks_under_xss_injection_sinks
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Allowed clarifying that all XSS injection sinks are covered by the
"trusted-types-sink-group" named 'script'.
Closes #383