Skip to content

Commit

Permalink
Prevent XSS through Trusted Types
Browse files Browse the repository at this point in the history 
Following a5b9363, this enables the
new "Trusted Types" Content Security Policy for the ades website to
prevent XSS vulnerabilities sneaking in in the future (currently there
are no violations so there should be no XSS vulnerabilities).

I tested this change on a5b9363~1 and it did indeed detect the violation
and prevent XSS (by throwing an error).

In browsers without support for the Trusted Types API this change has no
effect (though it may produce a warning about unknown CSP directives).

Trusted Types: https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API
CSP: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Signed-off-by: Eric Cornelissen <ericornelissen@gmail.com>
  • Loading branch information
@ericcornelissen
ericcornelissen committed Oct 3, 2024
1 parent f58e34e commit aab032b
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions web/index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,12 @@
<head>
<title>ades</title>
<meta charset="utf-8" />

<meta
http-equiv="Content-Security-Policy"
content="trusted-types 'none'; require-trusted-types-for 'script';"
/>

<link rel="stylesheet" href="index.css">
<script src="wasm_exec.js"></script>
</head>
Expand Down

0 comments on commit aab032b

Please sign in to comment.