Added security consideration section about navigating plugins (#265)

w3c · Mar 6, 2020 · db82179 · db82179
1 parent bcd3c1b
commit db82179
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 7 deletions.
diff --git a/dist/spec/index.html b/dist/spec/index.html
@@ -1214,7 +1214,7 @@
 </style>
   <meta content="Bikeshed version 53d2305928d30790ebcc3b8ea611fb0709647013" name="generator">
   <link href="https://w3c.github.io/webappsec-trusted-types/dist/spec/" rel="canonical">
-  <meta content="cddc9e0a32cbf29e1efcff2ba5f85fe8a394ea3d" name="document-revision">
+  <meta content="4ef7905f726449562b10edda414903fa301b0e3c" name="document-revision">
 <style>/* style-md-lists */
 
 /* This is a weird hack for me not yet following the commonmark spec
@@ -1461,7 +1461,7 @@
   <div class="head">
    <p data-fill-with="logo"><a class="logo" href="https://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2016/logos/W3C" width="72"> </a> </p>
    <h1 class="p-name no-ref" id="title">Trusted Types</h1>
-   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="2020-03-05">5 March 2020</time></span></h2>
+   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="2020-03-06">6 March 2020</time></span></h2>
    <div data-fill-with="spec-metadata">
     <dl>
      <dt>This version:
@@ -1599,7 +1599,8 @@ <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
      <ol class="toc">
       <li><a href="#cross-document-vectors"><span class="secno">5.1</span> <span class="content">Cross-document vectors</span></a>
       <li><a href="#deprecated-features"><span class="secno">5.2</span> <span class="content">Deprecated features</span></a>
-      <li><a href="#best-practices-for-policy-design"><span class="secno">5.3</span> <span class="content">Best practices for policy design</span></a>
+      <li><a href="#plugins"><span class="secno">5.3</span> <span class="content">Plugin navigation</span></a>
+      <li><a href="#best-practices-for-policy-design"><span class="secno">5.4</span> <span class="content">Best practices for policy design</span></a>
      </ol>
     <li>
      <a href="#implementation-considerations"><span class="secno">6</span> <span class="content">Implementation Considerations</span></a>
@@ -3338,7 +3339,16 @@ <h3 class="heading settled" data-level="5.2" id="deprecated-features"><span clas
     <li data-md>
      <p><a href="https://w3c.github.io/webcomponents/spec/imports/">HTML imports</a></p>
    </ul>
-   <h3 class="heading settled" data-level="5.3" id="best-practices-for-policy-design"><span class="secno">5.3. </span><span class="content">Best practices for policy design</span><a class="self-link" href="#best-practices-for-policy-design"></a></h3>
+   <h3 class="heading settled" data-level="5.3" id="plugins"><span class="secno">5.3. </span><span class="content">Plugin navigation</span><a class="self-link" href="#plugins"></a></h3>
+   <p>Plugin content may have access to the document that embeds it (or; more broadly,
+to the origin it was served from), often giving it the same capabilities
+as DOM XSS. That’s why Trusted Types limit <code class="idl"><a data-link-type="idl">HTMLObjectElement.src</a></code> to <code class="idl"><a data-link-type="idl" href="#trustedscripturl" id="ref-for-trustedscripturl①②">TrustedScriptURL</a></code>.</p>
+   <p>However, it is also possible to navigate an existing object / embed to an
+arbitrary location, bypassing the <code class="idl"><a data-link-type="idl" href="#trustedscripturl" id="ref-for-trustedscripturl①③">TrustedScriptURL</a></code> restriction.</p>
+   <p>Since plugin content in the web in general is being phased out for other
+security reasons, and their navigation model is in flux, we recommend authors
+to prevent that bypass vector by limiting the plugins altogether with <a data-link-type="dfn" href="https://w3c.github.io/webappsec-csp/#object-src" id="ref-for-object-src">object-src</a>. For example: <code>Content-Security-Policy: object-src: none</code>.</p>
+   <h3 class="heading settled" data-level="5.4" id="best-practices-for-policy-design"><span class="secno">5.4. </span><span class="content">Best practices for policy design</span><a class="self-link" href="#best-practices-for-policy-design"></a></h3>
    <p>Trusted Types limit the scope of the code that can introduce
 vulnerabilities via <a data-link-type="dfn" href="#injection-sink" id="ref-for-injection-sink②⑦">injection sinks</a> to the implementation of <a data-link-type="dfn" href="#policies" id="ref-for-policies⑥">policies</a>.
 In this design, insecure policies can still expose <a data-link-type="dfn" href="#injection-sink" id="ref-for-injection-sink②⑧">injection sinks</a> to untrusted data.
@@ -4160,7 +4170,7 @@ <h2 class="no-num no-ref heading settled" id="idl-index"><span class="content">I
   <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①⓪①"><c- b>DOMString</c-></a> <a data-readonly data-type="DOMString" href="#dom-trustedtypepolicy-name"><code><c- g>name</c-></code></a>;
   <a class="n" data-link-type="idl-name" href="#trustedhtml" id="ref-for-trustedhtml⑤①"><c- n>TrustedHTML</c-></a> <a class="idl-code" data-link-type="method" href="#dom-trustedtypepolicy-createhtml" id="ref-for-dom-trustedtypepolicy-createhtml②"><c- g>createHTML</c-></a>(<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①①①"><c- b>DOMString</c-></a> <a href="#dom-trustedtypepolicy-createhtml-input-arguments-input"><code><c- g>input</c-></code></a>, <c- b>any</c->... <a href="#dom-trustedtypepolicy-createhtml-input-arguments-arguments"><code><c- g>arguments</c-></code></a>);
   <a class="n" data-link-type="idl-name" href="#trustedscript" id="ref-for-trustedscript④①"><c- n>TrustedScript</c-></a> <a class="idl-code" data-link-type="method" href="#dom-trustedtypepolicy-createscript" id="ref-for-dom-trustedtypepolicy-createscript②"><c- g>createScript</c-></a>(<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①②①"><c- b>DOMString</c-></a> <a href="#dom-trustedtypepolicy-createscript-input-arguments-input"><code><c- g>input</c-></code></a>, <c- b>any</c->... <a href="#dom-trustedtypepolicy-createscript-input-arguments-arguments"><code><c- g>arguments</c-></code></a>);
-  <a class="n" data-link-type="idl-name" href="#trustedscripturl" id="ref-for-trustedscripturl①②"><c- n>TrustedScriptURL</c-></a> <a class="idl-code" data-link-type="method" href="#dom-trustedtypepolicy-createscripturl" id="ref-for-dom-trustedtypepolicy-createscripturl②"><c- g>createScriptURL</c-></a>(<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①③①"><c- b>DOMString</c-></a> <a href="#dom-trustedtypepolicy-createscripturl-input-arguments-input"><code><c- g>input</c-></code></a>, <c- b>any</c->... <a href="#dom-trustedtypepolicy-createscripturl-input-arguments-arguments"><code><c- g>arguments</c-></code></a>);
+  <a class="n" data-link-type="idl-name" href="#trustedscripturl" id="ref-for-trustedscripturl①④"><c- n>TrustedScriptURL</c-></a> <a class="idl-code" data-link-type="method" href="#dom-trustedtypepolicy-createscripturl" id="ref-for-dom-trustedtypepolicy-createscripturl②"><c- g>createScriptURL</c-></a>(<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①③①"><c- b>DOMString</c-></a> <a href="#dom-trustedtypepolicy-createscripturl-input-arguments-input"><code><c- g>input</c-></code></a>, <c- b>any</c->... <a href="#dom-trustedtypepolicy-createscripturl-input-arguments-arguments"><code><c- g>arguments</c-></code></a>);
 };
 
 <c- b>dictionary</c-> <a href="#dictdef-trustedtypepolicyoptions"><code><c- g>TrustedTypePolicyOptions</c-></code></a> {
@@ -4287,7 +4297,7 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
     <li><a href="#ref-for-injection-sink②③">4.5.2. trusted-types directive</a> <a href="#ref-for-injection-sink②④">(2)</a>
     <li><a href="#ref-for-injection-sink②⑤">4.5.3. Should sink type mismatch violation be blocked by Content Security Policy?</a>
     <li><a href="#ref-for-injection-sink②⑥">5. Security Considerations</a>
-    <li><a href="#ref-for-injection-sink②⑦">5.3. Best practices for policy design</a> <a href="#ref-for-injection-sink②⑧">(2)</a>
+    <li><a href="#ref-for-injection-sink②⑦">5.4. Best practices for policy design</a> <a href="#ref-for-injection-sink②⑧">(2)</a>
     <li><a href="#ref-for-injection-sink②⑨">6.1. Vendor-specific Extensions and Addons</a>
    </ul>
   </aside>
@@ -4340,6 +4350,7 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
     <li><a href="#ref-for-trustedscripturl⑦">4.1.3.2. Setting slot values</a>
     <li><a href="#ref-for-trustedscripturl⑧">4.1.4. Enforcement in element attributes</a> <a href="#ref-for-trustedscripturl⑨">(2)</a> <a href="#ref-for-trustedscripturl①⓪">(3)</a>
     <li><a href="#ref-for-trustedscripturl①①">4.2. Integration with SVG</a>
+    <li><a href="#ref-for-trustedscripturl①②">5.3. Plugin navigation</a> <a href="#ref-for-trustedscripturl①③">(2)</a>
    </ul>
   </aside>
   <aside class="dfn-panel" data-for="policies">
@@ -4351,7 +4362,7 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
     <li><a href="#ref-for-policies③">2.4. Enforcement</a>
     <li><a href="#ref-for-policies④">2.4.1. Content Security Policy</a>
     <li><a href="#ref-for-policies⑤">4.5.2. trusted-types directive</a>
-    <li><a href="#ref-for-policies⑥">5.3. Best practices for policy design</a>
+    <li><a href="#ref-for-policies⑥">5.4. Best practices for policy design</a>
    </ul>
   </aside>
   <aside class="dfn-panel" data-for="trustedtypepolicyfactory">

diff --git a/spec/index.bs b/spec/index.bs
@@ -1886,6 +1886,21 @@ restrictions:
 
 * <a href="https://w3c.github.io/webcomponents/spec/imports/">HTML imports</a>
 
+## Plugin navigation ## {#plugins}
+
+Plugin content may have access to the document that embeds it (or; more broadly,
+to the origin it was served from), often giving it the same capabilities
+as DOM XSS. That's why Trusted Types limit {{HTMLObjectElement.src}} to
+{{TrustedScriptURL}}.
+
+However, it is also possible to navigate an existing object / embed to an
+arbitrary location, bypassing the {{TrustedScriptURL}} restriction.
+
+Since plugin content in the web in general is being phased out for other
+security reasons, and their navigation model is in flux, we recommend authors
+to prevent that bypass vector by limiting the plugins altogether with
+[=object-src=]. For example: `Content-Security-Policy: object-src: none`.
+
 ## Best practices for policy design ## {#best-practices-for-policy-design}
 
 Trusted Types limit the scope of the code that can introduce