From aab032b5b219f2ae1a603e92384fc7a35e49e64e Mon Sep 17 00:00:00 2001 From: Eric Cornelissen <ericornelissen@gmail.com> Date: Wed, 2 Oct 2024 17:04:32 +0200 Subject: [PATCH] Prevent XSS through Trusted Types Following a5b9363e43f9619df339a5757b8d29bee4cad2b5, this enables the new "Trusted Types" Content Security Policy for the ades website to prevent XSS vulnerabilities sneaking in in the future (currently there are no violations so there should be no XSS vulnerabilities). I tested this change on a5b9363~1 and it did indeed detect the violation and prevent XSS (by throwing an error). In browsers without support for the Trusted Types API this change has no effect (though it may produce a warning about unknown CSP directives). Trusted Types: https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API CSP: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP Signed-off-by: Eric Cornelissen <ericornelissen@gmail.com> --- web/index.html | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/web/index.html b/web/index.html index 21c423b..6ecdb4a 100644 --- a/web/index.html +++ b/web/index.html @@ -21,6 +21,12 @@ <head> <title>ades</title> <meta charset="utf-8" /> + + <meta + http-equiv="Content-Security-Policy" + content="trusted-types 'none'; require-trusted-types-for 'script';" + /> + <link rel="stylesheet" href="index.css"> <script src="wasm_exec.js"></script> </head>